The Court of Justice of the European Union ruled this morning that the Safe Harbor regime, which enables transatlantic data transfers from the European Union to the United States, is invalid, thereby giving each national supervisory authority the chance to revisit the question of whether the U. S. provides an adequate level of protection for EU citizens’ data.  A copy of the decision be found here.

A very quick summary of the case is at the end of this note for those who are interested in more detail.

Consequently, if your company relies on Safe Harbor as the exclusive basis for its transfer of personal data from the EU to the U.S., it may need to find another basis to legitimize the transfer as soon as possible.  The primary options are:

  1. Consent of the data subject to the transfer.  In most circumstances, the consent needs to be explicit and fully informed to be valid.  It should also be noted that consent is not permitted in all EU countries.
  2. Binding corporate rules (BCR) for intragroup transfers. BCRs need to be approved by the relevant national information commissioners, and this is a lengthy process (potentially 18 months or more).
  3. Establish Contracts between the exporting and receiving entities incorporating the Model Contract Clauses. The European Commission has provided Model Contract Clauses that can be incorporated into agreements to ensure adequate protection of the transferred personal data. It should be noted that Model Contract Clauses only address data transfers between an EU exporting entity and U.S. receiving entity and, thus, alone would not solve for all data transfers.
  4. Adequacy Self-Assessment in member states. Certain EU member states accept self-assessment to legitimize the transfer of EU data to the U.S.

It’s important to stress that this decision, while important, is not wholesale ban on data transfers to the U.S. and the options above provide viable alternatives for such transfer.

For many U.S. companies, taking a “wait and see” approach may be the most sensible course of action at this very early time, as now each national supervisory authority must determine whether the U.S. provides an adequate level of protection for EU citizens’ data. The on-going negotiations of a new safe harbor agreement could also result in reconfirmation of the Safe Harbor program in a way that is also consistent with today’s ruling.

We know that this decision is disconcerting for companies who have been relying on Safe Harbor to legitimize the transfer of data from the EU to the U.S., and we’re happy to set up a time to walk you through the different options above or help answer any questions or concerns you might have.

The case digest is as follows:

Directive 95/46/EC of the European Parliament, as amended, addresses the transfer and protection of data.  Article 25 of Directive 95/46 provides that personal data may be transferred out of the EU to a third country only if the third country in question ensures an adequate level of protection.

Where the European Commission finds that a third country does not ensure an adequate level of protection, the EU Member States shall take the measures necessary to prevent any transfer of data to the third country in question.

The Commission may also find, however, that a third country does ensure an adequate level of protection.

Commission Decision 2000/520/EC of 26 July 2000 found that the United States safe harbor regime provides an adequate level of protection within the meaning of Article 25 of Directive 95/46.

Mr. Schrems made a complaint to the Data Protection Commissioner asking the Commissioner to prohibit Facebook Ireland from transferring his personal data to the United States. Mr. Schrems contended that United States law and practice does not ensure an adequate level of protection within the meaning of Article 25 of Directive 95/46.

The Commissioner rejected the complaint because the Commission Decision 2000/520 had held that the United States safe harbor regime ensures an adequate level of protection.

Mr. Schrems challenged the decision in the High Court (Ireland).  The High Court observed that Mr. Schrems was in reality challenging the legality of the safe harbor regime which was established by Decision 2000/520.  Even though Mr. Schrems had not formally contested the validity of either Directive 95/46 or Decision 2000/520, the question was raised, according to the High Court, as to whether, the Commissioner was bound by the Commission’s finding in Decision 2000/520 that the United States ensures an adequate level of protection or whether Article 8 of the European Charter authorized the Commissioner to break free from such a finding.

The High Court decided to stay the proceedings and to refer the question to the Court of Justice for a preliminary ruling.

The Court of Justice explained that the finding that a third country does or does not ensure an adequate level of protection may be made either by the Member States or by the Commission.  If the Commission finds that a third country ensures an adequate level of protection, any such decision is addressed to the Member States, who must take the measures necessary to comply with it until such time, if ever, as the Commission decision is declared invalid by the Court of Justice.

The Court of Justice emphasized, however, that the Commission’s determination that a third country ensures an adequate level of protection must be based on domestic law or international commitments that respect safe harbor principles.  The Court of Justice criticized Decision 2000/520 on this and other points because Decision 2000/520 allows ‘national security, public interest, or law enforcement requirements’ to prevail over the safe harbor principles, thereby allowing self-certified United States organizations receiving personal data from the European Union to disregard those principles without limitation where they conflict with law enforcement requirements.

Second, the Court of Justice emphasized that the adequacy of the protection ensured by the third country must be periodically reassessed because the level of protection ensured by a third country is liable to change.   Because of revelations that the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way that was incompatible with the purposes for which it was transferred and in ways deemed beyond what was strictly necessary and proportionate to the protection of national security, the Court of Justice found that the factual predicate for Decision 200/520 was no longer valid.

The Court (Grand Chamber), therefore, ruled:

  1. that a decision such as Commission Decision 2000/520 on the adequacy of the protection provided by the safe harbor privacy principles issued by the US Department of Commerce does not prevent a supervisory authority of a Member State from examining the claim that the law and practices in force in the United States do not ensure an adequate level of protection; and
  2. That Decision 2000/520 is invalid.