On Tuesday, the European Court of Justice ruled Safe Harbor – the agreement that permits U.S. companies to transmit the data of European users to American soil – invalid. As a result, companies are left with a huge amount of uncertainty.
Until now, the Safe Harbor Arrangement ensured that European consumer data could be transferred to the United States, even though the EU's Data Protection Directive strictly limits the transfer of data to a country unless that country guarantees adequate levels of protection. Because United States laws do not meet the requisite levels of protection, U.S. officials negotiated a process by which companies could opt to comply with the Directive and self-certify their compliance with the Directive. In essence, this "safe harbor" certification meant that a European citizen's personal data being processed by a company on U.S.-based computers was under the same protections in Europe on a European-based system. The ECJ ruled that, despite the self-certifications proffered by some companies, the Safe Harbor pact violates the rights of Europeans by exposing them to allegedly indiscriminate surveillance by the U.S. government.
In Maximillian Schrems v. Data Protection Commissioner, Case C-362/14, the ECJ overruled a 2000 ruling by the European Commission approving trans-Atlantic data transfers under the Safe Habor provisions. The ECJ held that because the agreement allowed the American government authorities to gain routine access to Europeans' online information. Summarizing its Opinion in a press release, the Court stated, "The United States . . . scheme enables interferences, by United States public authorities, with the fundamental rights of persons…" In its Opinion, the Court specifically mentions the "revelations" made by Edward Snowden concerning United States intelligence services and the activities of the National Security Agency ("NSA"). These "revelations" formed the basis for the lawsuit underlying ECJ's decision.
In 2013, Mr. Schrems, a Facebook user and Austrian citizen, filed a complaint with the Irish Data Protection Commissioner. As a Facebook user, data about Mr. Schrems is transferred from Facebook's Irish subsidiary to servers located in the United States, where it is processed. Mr. Schrems argued that, in light of Snowden's claims, the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred there. The Irish data protection authority rejected Mr. Schrems’s challenge saying it was bound by the Safe Harbor pact; Mr. Schrems appealed to Ireland's highest court, which has asked the ECJ if such a regulator has the authority to ignore an EU-wide pact.
Because the ECJ agrees with Mr. Schrems, the Irish Data Protection Commissioner is now required to examine Mr. Schrems' complaint and, at the conclusion of its investigations, decide whether, pursuant to the Directive, transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that the United States does not afford an adequate level of protection of personal data.
In other words, while Tuesday's order does not announce an immediate end to those personal-data transfers, it rules that national regulators have the right to investigate them and suspend them if they don’t provide sufficient protections, creating new legal risks for companies.
Various U.S. Government officials have responded to the ruling, including U.S. Secretary of Commerce Penny Pritzker. The Secretary released a statement signaling the Department's readiness "to address uncertainty created by the court decision so that the thousands of U.S. and EU businesses that have complied in good faith with the Safe Harbor and provided robust protection of EU citizens’ privacy in accordance with the Framework’s principles can continue to grow the world's digital economy.”
Negotiations between the United States and the European Commission on an updated Safe Harbor framework are ongoing, although there is no timeframe for completion. However, in light of the ECJ's decision, major U.S. companies, like Microsoft, are publicly calling for a quick re-negotiation of Safe Harbor. In a blog post about the decision, Microsoft publicly states that its cloud services comply with the EU's Model Clauses, "which enable customers to move data between the EU and other places – including the United States – even in the absence of Safe Harbor." Microsoft also notes that "many European nations are currently considering amendments to their surveillance laws," and urged the passing of pending legislation in the U.S. which would strengthen privacy laws – and, therefore, also the EU's assessment of the United States' suitability for its citizens' data.
As a result of this decision, U.S. companies with European users are now open targets for privacy challenges if those companies process European Union data in the United States. All companies should immediately evaluate international data transfers that may be impacted. Because the ECJ allows for no interim period, U.S. companies may prioritize the adoption of strong encryption. Alternatively, U.S. companies may utilize standard data protection clauses in contracts or adopt binding corporate rules for transfers within a corporate group. Others may opt to construct processing centers in Europe.
To be clear, the ECJ's decision does not apply solely to technology companies. It affects any organization with international operations, such as when a company has employees in more than one region and needs to transfer payroll information or allow employees to manage benefits online. All companies should closely monitor the US-EU Safe Harbor website,http://www.export.gov/safeharbor/, for changes and updates to compliance provisions.
Click here to find the judgment (Maximillian Schrems v. Data Protection Commissioner, Case C-362/14, October 6, 2015).