This article was first published on Intellectual Property Magazine, November 2015
In a landmark judgment issued on 6 October 2015, the Court of Justice of the European Union (the “Court”) invalidated the European Commission’s decision 2000/250 on Safe Harbor which had been a significant vehicle for transatlantic data flows over the past 15 years, thereby leaving countless businesses in a precarious situation. This article discusses the legal and practical implications of the ruling and proposes a plan of action for companies to start preparing for the post-Safe Harbor era.
Following the Snowden revelations in 2013, an Austrian student named Maximilian Schrems lodged a complaint with the Irish Data Protection Commissioner alleging that US laws offer insufficient protection for EU data and that Facebook’s transfers of EU data to its US servers should therefore be suspended. The complaint was rejected by reference to the Commission’s decision on Safe Harbor.
The Irish Data Protection Commissioner’s decision was challenged before the High Court of Ireland which referred the case to the Court for a preliminary ruling on the following questions: (i) whether national data protection authorities (“DPAs”) have the discretion to investigate and, where appropriate, block data transfers based on a Commission’s adequacy finding and (ii) whether the Commission’s decision on Safe Harbor was still valid.
In a non-binding opinion, Advocate General Yves Bot recommended that (i) Commission adequacy decisions should not affect DPAs’ powers to suspend data transfers unilaterally and (ii) the Commission’s decision on Safe Harbor was invalid.
What did the Court say?
The Court did not follow the Advocate General’s opinion regarding the breadth of the DPAs’ powers and stressed that Commission adequacy decisions may only be annulled by the Court itself. The Court found that DPAs must examine complaints regarding the alleged invalidity of a Commission decision and, where relevant, they should refer the matter to their national courts to request a preliminary ruling from the Court.
On the second question, the Court agreed that the Commission’s decision on Safe Harbor was invalid on the following two grounds:
- The Commission did not assess the adequacy of the Safe Harbor framework in light of US domestic laws which enabled generalised and untargeted access to EU data and which prevailed over the Safe Harbor framework; and
- The powers granted to the DPAs by the Commission under the Safe Harbor framework were too restrictive.
How does the ruling impact businesses?
The Court’s ruling directly affects US tech providers (e.g. cloud providers or online service providers) operating in the EU market and EU data-driven companies which need to transfer data to the US. Since the Court did not grant any “grace period”, the ruling is immediately effective and so registration within the Safe Harbor scheme no longer carries any effect on data transfers. Quite ironically though, the Safe Harbor framework is still operating and commitments that US organisations have made to adhere to its principles are still legally binding and enforceable by the Federal Trade Commission.
Whilst it is not possible to determine with certainty how and when enforcement action is to be carried out, chances of regulatory action in the immediate future are relatively unlikely; at least until supervisory authorities have taken a position on the matter and businesses have had enough time to put their house in order. In the UK, the Information Commissioner’s Office has clearly acknowledged that it will “take some time” for companies to put in place new compliance solutions.
Further, there are speculations that other legal instruments such as Model Clauses and Binding Corporate Rules could potentially be challenged – at least to the extent that they are used to support data transfers to the US – following the same reasoning about the insufficient level of data protection under US laws. However, this outcome seems rather unlikely given the additional safeguards offered by these data transfer mechanisms (e.g. third party beneficiary rights).
In this context, we anticipate that a number of official responses will be delivered at EU and national level over the coming weeks, thus organisations should closely monitor the latest developments on this issue. The Commission stated that it will provide clear guidance to ensure a uniform response from DPAs and to provide legal certainty for organisations. At the time of writing this article, the Article 29 Working Party has scheduled an emergency meeting with a view to ensure a coordinated response. National DPAs are also expected to meet independently to discuss next steps and help organisations navigate through the consequences of the ruling.
It should also be noted that, following revelations on US surveillance programmes in 2013, the Commission and the US have been working on updating the Safe Harbor framework. Much progress has been made so far, however the main sticking point concerns national security derogations. Most likely, the Court’s ruling will have the effect of speeding up these negotiations. If so, it remains to be seen to what extent these discussions will address the concerns raised by the Court around large scale access to personal data by US intelligence agencies and how they will take into account the recent EU-US 'Umbrella Agreement' covering data exchanges for the purpose of law enforcement cooperation.
What compliance steps should businesses take?
In the aftermath of the judgment, businesses should start looking into the range of available alternatives in order to come up with a plan of action. That said, companies should not rush into anything until they have had enough time to carefully consider their priorities and the various options offered to them. In this regard, there is no “one size fits all” solution and so businesses should cautiously explore the benefits and risks of each route to determine which one is the most suitable for them.
Organisations are advised to take the following steps to build their own “plan B”:
- Conduct a ‘data transfer audit’: map out existing international data flows and identify key features such as the exporting/importing entities involved, data categories and any sensitive data concerned, associated purposes, core IT systems and storage locations.
- Review which US importing entities rely solely on their Safe Harbor certification (without any other existing grounds) to receive EU data.
- Determine which data transfers should be given priority to work out a solution.
- Keep abreast of the latest developments on the matter (e.g. statements and guidance of EU authorities and national DPAs, progress made on the Safe Harbor 2.0)
- Proactively review alternative compliance options and determine the most appropriate for the business.
- Roll-out short-term and/or long-term data transfer arrangements.
- Depending on the solution opted for, conduct a ‘country analysis’ to check whether any additional local data protection requirements need to be satisfied (e.g. DPA filing, DPA authorisation, individual privacy notices).
What are the available options?
Amongst the various alternative arrangements, the following are considered the most relevant for businesses:
“Wait and see”
Companies may want to adopt a passive approach until a “Safe Harbor 2.0” is finalised. Whilst this option offers flexibility and is cost/time saving, companies may run the risk of losing customer trust and facing enforcement action in the long run if a new Safe Harbor framework is not agreed in the near future.
Standard Model Clauses or bespoke clauses approved by the DPA
Model Clauses would provide a good straightforward and short-term solution in that they are easily executable and in line with customers’ expectation of compliance with EU data protection standards. However, this option can become burdensome in some EU countries where DPA filing and authorisation is required. In addition, Model Clauses provide limited flexibility to the parties in terms of contractual arrangements and they include a number of requirements such as flowing down obligations on to subcontractors. Further, Model Clauses are not suitable for processor-to-processor data transfers, and so businesses may turn to bespoke clauses which are vulnerable to DPA review. Finally, Model Clauses may not be a realistic option for US providers contracting directly with EU individual customers.
Binding Corporate Rules (“BCRs”)
BCRs are practically focused and offer the ability to tailor a company’s compliance programme to its own needs. As such, they could be a valuable long-term solution, particularly since they are formally recognised by most EU DPAs and are likely to be endorsed by the future General Data Protection Regulation. Yet, companies should bear in mind that the current BCR application process requires significant investments in terms of time, costs and resources and that the Regulation is likely to offer a more streamlined process.
Consent and other statutory derogations
Companies may want to explore whether some of the legal exceptions to the prohibition of data transfers may be relied upon (e.g. performance of a contract, vital interest of the data subject, public interest) as these do not require additional formalities. If so, care should be taken as these derogations only apply in limited and ‘fact specific’ situations, and they are usually construed narrowly by DPAs. In particular, it could be tempting to use consent as a quick fall back solution. However, in practice consent may be difficult to use for repeated and systematic data transfers (e.g. given that it can be withdrawn at any time) and it is subject to a high level of scrutiny from DPAs (e.g. for employees).
Organisational changes - EU relocation
Organisations may want to limit exposure to US data transfers and therefore revisit their data storage architecture or their vendor strategy, for instance by using EU data centres or EU-based service providers. Whilst these solutions would certainly have some benefits to the extent that data does not need to be further transferred to the US (e.g. to provide remote support), they would require some cost and time for implementation.
The recent Court’s ruling significantly impacts the data privacy landscape and raises a number of uncertainties and compliance risks for organisations which used to rely on the Safe Harbor framework. Businesses will no doubt have to make some internal adjustment to these changes, however cautious steps should be taken before switching to another solution. In this regard, we can be hopeful that the forthcoming guidance from the EU DPAs will provide more clarity to ensure the continuation of the transatlantic commercial relationships.