October 2015 - On 6 October 2015, the European Court of Justice annulled the European Commission’s previous decision that enabled companies to transfer personal data between the European Union and the United States without having to go through full-blown clearance procedures in individual EU Member States (the “Safe Harbour Decision”). Following the Court’s ruling, businesses may no longer use the Safe Harbour regime for the transfer of EU citizens’ personal data to the US or to access such data from the US. This leaves companies in the EU with fewer, far less flexible options. Transfers of personal data must now meet domestic requirements and go through local clearance in each EU country from which data will be exported. Alternative solutions exist, including exemptions from clearance, concluding a standard data transfer agreement, or adoption of intra-group binding corporate rules. These options are not, however, a universal or quick fix. Their viability in each specific case depends, most importantly, on how and for what purposes the data is to be transferred and processed and what safeguards for this will be ensured.
Why did the Court strike down the Safe Harbour Decision?
In principle, transfers of personal data to any country outside the European Union and the European Economic Area may take place only if that country ensures an adequate level of data protection by virtue of its domestic law or international commitments. Generally, the national data protection authorities have the responsibility to assess the adequacy of protection with respect to each data transfer and to clear it or not. However, the European Commission may decide that a given non-EU country provides sufficient protection and, in this way, grant carte-blanche approval for transfers to that country without the need for case-by-case assessment and clearance. This is what happened in 2000, when the European Commission adopted the Safe Harbour Decision. It held that those companies that put in place certain safeguards required by the US Department of Commerce (the “Safe Harbour Privacy Principles”) were presumed to ensure an adequate level of personal data protection. However, US authorities could still access and process personal data despite those safeguards when national security and law enforcement considerations or statutory obligations so required. No effective legal remedies existed for opposing or challenging such processing of EU citizens’ personal data by the US authorities.
The Safe Harbour Decision eased personal data transfers from the EU to the US immensely and was widely used by businesses, including, notably, technology companies such as Facebook, Yahoo!, Skype and Microsoft when providing their social media and cloud computing services. Allegedly, the US homeland security and enforcement agencies accessed personal data transferred from the EU (including via those services) and processed them for surveillance purposes on the basis of the limitations mentioned above. Data was allegedly processed not in a targeted manner (i.e. only with respect to given individuals suspected to pose a threat to national security), but across the board. This gave grounds to complaints to the national data protection authorities in the EU as to whether the Safe Harbour Decision correctly found that an adequate level of data protection was ensured in the US. The matter was ultimately referred to the European Court of Justice for resolution.
In essence, the Court ruled that, in order for the level of data protection in the US to be considered adequate, it had to be at least equivalent to the level provided under EU data protection rules. The Court ruled that this was not the case, because of the possibility for the US authorities to monitor personal data across the board on grounds of national security, law enforcement considerations or statutory obligations. In effect, the US authorities accessed and further processed EU citizens’ personal data on grounds very different from those on which the data was originally collected. And this, the Court ruled, runs contrary to EU data protection rules. Moreover, the large-scale intelligence collection and surveillance that the data was used for in the US was considered by the Court to go beyond what was strictly necessary and proportionate to the protection of national security. Against this background, the Court found that the Safe Harbour Decision interferes with and inadequately safeguards the fundamental rights of EU citizens to privacy, and therefore the Court struck down the Decision.
What are the effects of the annulment?
By invalidating the Safe Harbour Decision, the Court removed the possibility for the relaxed transfer of personal data from the EU to the US. The court ruling took effect on 6 October 2015, and as of that date, companies may move such data to, access it from, or process it in the US only after obtaining specific clearance for such a transfer. Alternatively, companies may be able to credibly rely on one of the exemptions or alternative solutions set out below.
The Safe Harbour Privacy Principles remain intact, as they were adopted by the US Department of Commerce (and not the European Commission). However, their relevance for the processing of data originating in the EU has been greatly diminished. Now, a US business partner’s certification under those Principles does not warrant full compliance with the EU data protection rules. Additional contractual, technical and physical measures for data protection may have to be negotiated and put in place.
What are options for personal data transfers to the US now?
As a matter of principle, transfers would have to meet domestic requirements and go through local clearance in each EU country from which data will be exported. However, such clearance would typically not be necessary if one of the derogations under EU data protection rules is applicable, if the EU and US companies conclude a standard data transfer agreement, or in the case of intra-group transfers, adopt binding corporate rules.
EU data protection rules provide for several exemptions from the clearance obligation. The domestic laws of most of the EU Member States (including in Central and Eastern Europe) reiterate them without substantial change. As a result, full-blown clearance would typically not be required when: (i) the individual whose data is transferred consents to that; or (ii) the transfer is necessary for the performance of a contract between that individual and the company that collects his data; or (iii) the transfer is necessary for the conclusion or performance of a contract in the individual’s interest; or (iv) the transfer is necessary or legally required for important public interest grounds or for the establishment, exercise or defence of legal claims.
Obtaining an individual’s consent appears to be the near-universal solution. However, the consent must always be explicit, specific and granted prior to the transfer, which would require precise planning, documenting and communication to individuals in order to secure valid consents. In addition to that, transfers on the basis of consent may require additional approval by the national data protection authorities in some of the Central and Eastern European jurisdictions (e.g. the Czech Republic and Romania). When companies contract with end users, they could also resort to the second and third exemptions. However, this would not cover onward transfers to service providers that process or store the data in the US. The fourth exemption appears to apply mainly to one-off transfers, as repeated or multiple transfers would need to take place under the umbrella of a data transfer agreement envisaging appropriate safeguards for processing.
The standard transfer agreement is a contractual template approved by the European Commission that regulates the transfer of data from one or more EU data exporters to one or more non-EU data importers (including in the US). The parties to the agreement may not change the pre-approved clauses. The benefit of concluding such an agreement is that the transfer, or a set of transfers based on it, do not have to be cleared by the local data protection regulators (typically, merely notified at most, like in Bulgaria). The downsides, however, are several. First, the standard agreement provides no flexibility on the terms of the transfer. Second, identical arrangements would have to be concluded with the data importer’s sub-contractors, which may not always be easy to negotiate and execute. Third, the EU company remains liable under its domestic law for data breaches despite the fact that a US company may effectively store and process the data. And most importantly, the standard agreement may also be challenged on grounds that it does not ensure an adequate level of protection. Unless the European Commission or the upcoming Data Protection Regulation amend the template, it could potentially be struck down as well since it suffers from the same deficiencies as the Safe Harbour Decision did.
The adoption of binding corporate rules is not a simple process. It involves working out a coherent group-wide set of rules that can cover data controller to data controller and/or data controller to data processor transfers. Those rules would then have to be endorsed by one lead national data protection authority with the assistance and oversight of the national authorities in two other Member States. In addition, in some Central and Eastern European jurisdictions, the local data protection authority may have to approve the binding rules as well. Given the level of regulatory approval and oversight required and the time and effects needed by a company to prepare a coherent set of rules, this is not a quick solution. The implementation of such rules often takes between 12 and 18 months.