On 6 October 2015, the European Court of Justice ruled that the EU Commission (“EC”) decision approving the "Safe Harbor Framework" – which governs the transfer of personal data from the EU to US-based companies – is invalid (the “Ruling”). Pursuant to the Ruling,national regulators in EU countries have the right to investigate and suspend personal data transfers from the EU to US-based companies which is certified with the Safe Harbor Framework.
Until the Ruling, the EC is authorized to afford recognition to certain countries which offer an adequate level of protection, in order to allow the transfer of personal data from the EU to these countries. In particular, the EC recognized the "Safe Harbor Framework", a self-certified program under which US-based companies could voluntarily agree to abide by several data protection principles in order to allow the transfer of personal data from the EU to US-based companies.
The Ruling states that national supervisory authorities in the EU have the right to supervise, investigate and suspend personal data transfers from the EU to a third country, even if that country is recognized by the EC as affording an adequate level of protection to personal data. In particular, the Court found that the EC’s decision to afford recognition to the Safe Harbor Framework is invalid given that the Safe Harbor Framework enables interference by US public authorities with an individual's privacy rights.
What are the consequences of the Ruling?
In practice, the Ruling jeopardizes the validity of the transfers of personal data from the EU to US-based companies which were previously certified with the Safe Harbor Framework, by allowing the national supervisory authorities' across the EU to examine, investigate and suspend such transfers. This creates new legal risks to all companies which outsource personal data processing from the EU to the US.
In addition, the Ruling may potentially affect personal data transfers from the EU to non-EU states which were recognized as affording an adequate level of protection (e.g. Israel), which may also be subject to the EU national supervisory authorities' scrutiny and regulatory oversight.
What should we do?
It should be noted that under EU law, the transfer of personal data from the EU to non-EU states may rely upon other methods. For example, the transfer of personal data from the EU may take place if certain conditions are met (for example: if the unambiguous consent of the individual was obtained; if the transfer is required by law, etc.).
In addition, the transfer of personal data may also occur by putting into place model contracts containing standard clauses, which were approved by the EC as providing adequate contractual protection. In this regard, although the Ruling could be used to challenge the validity of transfer based on such contracts, for the time being, model contracts remain a viable method for complying with EU's privacy laws.
We encourage all of our clients who transfer the personal data of European data subjects to servers or companies located in non-EU states, or who outsource personal data processing from the EU to non-EU states, particularly via services and companies which are certified with the Safe Harbor Framework, to take immediate steps to address the legal risks arising from this Ruling.