1. What was the Safe Harbor framework and why was it needed?
In 2000, the United States Department of Commerce and the European Commission agreed the 'Safe Harbor' regime as a means to ensure necessary protection for European individuals whose personal data is transferred from within the European Economic Area to the US.
The Data Protection Directive requires countries within the EEA to implement laws prohibiting the transfer of personal data to a non-EEA country unless that 'third country' ensures an 'adequate level of protection'. The EEA comprises 31 countries – Norway, Iceland, Liechtenstein and all 28 Member States of the European Union.
Safe Harbor allowed US companies to self-certify a commitment to protect personal data in accordance with standards which were accepted to meet European requirements. The European Commission's 'Safe Harbor Decision' confirmed that transfers to such companies were deemed 'adequately protected'. Over 4000 US companies have signed up to the regime.
2. What did the Court of Justice of the European Union say?
The decision in Maximillian Schrems v Data Protection Commissioner invalidated the Safe Harbor Decision with immediate effect. From 6 October 2015, the Safe Harbor regime therefore ceased to provide a valid legal basis for EEA-US transfers of all types of personal data.
The Court stated that this was necessary because the Safe Harbor Decision:
- contained a derogation allowing US Companies that had self-certified under the regime to share data for national security purposes. However, the agencies with whom data is shared in such circumstances fell outside of the Safe Harbor safeguards and the Safe Harbor Decision did not address whether there was 'adequate' protection for data so processed; and
- established a disproportionately high threshold for national Data Protection Authorities to intervene and secure protection for individuals. The Commission did not have the authority to restrict the independence of DPAs in this way.
For a full summary of the facts, an analysis of the judgment and a link to a recorded webinar discussing its implications for businesses, please see our bulletin here.
3. Can the decision be challenged?
The Court of Justice is the highest court in the European Union. As such, the ruling cannot be appealed or challenged.
4. Does the decision preclude all EEA-US data transfers?
No. Safe Harbor was only one of a number of approved methods by which personal data can be legally transferred outside of the EEA. These other legal bases include:
- the use of European Commission approved 'Standard Contractual Clauses'. These model contracts (1) impose non-negotiable obligations on contracting entities to ensure protection for relevant individuals and (2) allow individuals to enforce corresponding rights and obtain compensation in the event of a breach;
- the use of 'Binding Corporate Rules' to facilitate data flows within a corporate group. These rules must be approved by the relevant European authorities;
- reliance on a number of exemptions. The Data Protection Directive states, for example, that personal data may be transferred to a non-EEA country that does not ensure 'adequate protection' where the transfer is necessary for the performance of a contract between a company and the individual, where necessary in the public interest or where the individual has given their unambiguous consent to the international transfer; and
- individual DPAs may accept other country-specific justifications for non-EEA transfers. In the United Kingdom, for example, data controllers may 'self-assess' the adequacy of protection offered in the third country. The UK is unusual in permitting this.
There is uncertainty as to whether these alternative legal bases are affected by the ruling. Although it does not make any explicit conclusions on the wider state of US law and practice, the judgment does make a number of statements against which they should be judged. It states, for example, that legislation permitting public authorities access on a generalised basis to the content of electronic communications, and which fails to give individuals effective means of redress, must be regarded as compromising the essence of European law.
This could provide ammunition for national DPAs to interpret the decision widely and refuse to allow reliance on the alternative mechanisms referred to above, on the basis that they cannot adequately protect against fundamental flaws in the US system. This is particularly likely in the case of SCCs, which explicitly allow DPAs to prohibit or suspend data transfers where they feel the law of the data importer contains requirements to derogate from data protection principles beyond those 'necessary in a democratic society'.
The extent of the decision, and the consequent ability to rely on alternative legal bases for transfers, will therefore depend on the political reaction from relevant bodies in Europe and the US. This is discussed in question 5 below.
5. What has the political reaction been?
Article 29 Working Party
The Article 29 Working Party, comprised of representatives of Member State DPAs, the European Data Protection Supervisor and the European Commission, issued a non-binding press release on the implications of the judgment on 16 October 2015. Although they stressed the need for a robust common position, the lack of clear, immediate, guidance as to next steps for organisations transferring data suggests a possible divergence of opinion amongst national authorities. The Article 29 Working Party stated that:
- the existence of mass, indiscriminate surveillance within the US underpins the Court's reasoning and is incompatible with the European legal framework. Existing tools for the transfer of personal data are not the solution to this issue;
- whilst DPAs continue to analyse the scope of the decision, SCCs and BCRs will remain a valid legal basis for EEA-US data transfers. This does not, however, remove individual DPAs’ ability to exercise their powers to protect individuals on a case-by-case basis;
- transfers that are made in reliance on Safe Harbor are, however, immediately unlawful and DPAs may take steps to reach out to companies known to rely on Safe Harbor; and
- there is a suggestion that a three-month 'grace period' for enforcement action may be recognised to allow for political solutions to be reached. However, the statement emphasises that this will not stop individual DPAs taking actions they consider necessary to protect individuals (for example, this could be refusing to authorise transfers or suspending data flows). If the Commission and US fail to reach agreement on a suitable replacement for Safe Harbor, and depending on the ongoing assessment of other transfer tools, European DPAs are committed to take appropriate steps, which may include coordinated enforcement action in respect of those who fail to implement alternative, valid methods of transfer.
Individual Data Protection Authorities
Some DPAs have stated they will be taking a measured approach to the judgment and will not seek to punish companies who diligently seek alternative transfer solutions. The UK's Information Commissioner's Office has stated, for example, that the decision does not affect the legitimacy of SCCs, BCRs, statutory exemptions and the data exporter's ability to 'self-assess' the adequacy of protection in non-EEA countries.
Other DPAs have interpreted the decision as having more far-reaching implications. The DPA in the German state of Schleswig-Holstein, for example, has declared that established alternative mechanisms, such as SCCs and individual consent, will also be insufficient to provide 'adequate protection' for transatlantic data transfers. They state that only a change in US law can rectify the situation. In effect, this means that for companies established there, all transfers of personal data to the US are now illegal. Such a statement does not affect companies without a presence in this region.
It will be essential to follow the statements and approach of the DPAs relevant to your organisation over the next weeks and months. Please see our bulletin recording the stance of European DPAs for more information.
Institutions of the European Union
- In a joint statement given by Frans Timmermans (First Vice President) and Commissioner Věra Jourová, the European Commission indicated that their priority is ensuring the continuation of transatlantic data flows, which they consider the backbone of the European economy. To this end, they have undertaken to intensify efforts to reach agreement with the US on a new 'Safe Harbor' framework that ensures adequate safeguards for individuals and stated that until this is struck, other accepted mechanisms for international transfers (see question 4) should remain a valid legal basis for transfer.
- The new President of the Court of Justice, Koen Lenaerts has stated that the decision is consciously not the same as previous guidance offered by Advocate General Bot (subject to previous Bird & Bird analysis here) as part of the European judicial process. While the focus of AG Bot's opinion was to criticise the broader state of US law and practice, Lenaerts emphasised that the Court did not, itself, make any comment on the state of US law. Instead, it represents a pure judgment on EU law. Although ambiguous, this could lend weight to any argument that the decision should only invalidate the Safe Harbor regime in a narrow sense, and not the alternative transfer mechanisms.
The decision has been greeted in the US with near universal criticism. Much commentary suggests it is flawed as being based on the state of US law at the time of the Snowden revelations in 2013, rather than that in 2015 when numerous remedial measures have been taken. These include:
- the provisional 'umbrella agreement' reached in September 2015 between the EU and US designed to protect data exchanged for the purpose of law enforcement co-operation;
- the US Judicial Redress Bill, passed by the House of Representatives on 20 October 2015 and now pending before the Senate, which will grant European citizens the right to obtain judicial redress and enforce rights before US courts if their data is incorrectly or unlawfully processed (e.g. unlawfully disclosed) by certain US government agencies; and
- the fact that the US Court of Appeals has ruled that the bulk collection of telephone metadata is unlawful – such a decision may facilitate a full legal challenge against the National Security Agency.
Josh Earnest (White House Press Secretary) has said, for example, that the US government believes this decision was based on incorrect assumptions about data privacy protections in the United States. Numerous industry bodies also criticise the uncertainty created by the decision and its potentially negative impact on business within the digital economy. Please see our bulletin recording the initial reactions of a number of US governmental representatives, industry bodies and companies here.
6. When am I 'transferring' data out of the EEA?
Under European law, data is considered 'transferred' when it is either physically transferred to another country (i.e. to be stored in a data centre on that territory) or when a person residing in another country accesses the data from that country. It is therefore an extremely broad concept that may apply even if personal data is technically stored within the EEA.
7. What will happen if I continue to rely on Safe Harbor for international transfers?
Although the US Department of Commerce continues to administer the Safe Harbor program, the Article 29 Working Party unanimously agreed that transatlantic data transfers still occurring in reliance on the Safe Harbor regime are now unlawful.
While the likelihood of immediate enforcement action will depend on the stance of individual DPAs, organisations transferring data to the US on the basis of Safe Harbor should seek a swift and diligent transition to other mechanisms. Failure to make a conscious effort to address the privacy concerns highlighted in the judgment will only increase compliance risk.
8. What do I need to do if I relied on Safe Harbor?
Organisations must evaluate their relationships with service providers and processors to establish the legal basis that currently justifies their transatlantic data transfers. Where this was Safe Harbor, alternative arrangements should be implemented without delay to mitigate the current legal uncertainty.
Although BCRs and reliance on exemptions have been mentioned by the European Commission and certain DPAs as permissible alternatives in the short term, the use of SCCs with service providers and clients is likely to be the most appropriate course of action for many clients. Reasons for this include:
- the establishment of BCRs within a corporate group requires a somewhat lengthy process necessitating authorisation from multiple domestic DPAs; and
- national DPAs and judicial bodies have an obligation to interpret relevant exemptions to the general prohibition on non-EEA transfers narrowly. This makes reliance on them uncertain in many cases.
A number of US service providers are already offering customers and partners the opportunity to enter into 'data processing addendums' which purport to incorporate the Commission approved SCCs. Whilst these may provide an immediate 'quick fix' to transfer issues (subject to the ability of national DPAs to intervene on a case-by-case basis), such offerings should be considered carefully. This is because such a contract will be insufficient to justify non-EEA data transfers where changes have been made to the standard wording within the Commission approved clauses.
9. Will consent from individuals justify non-EEA data transfers?
'Unambiguous consent' is another basis upon which data can be transferred.
However, consent needs treating with some care. It can be withdrawn, for example, so should only be used where an organisation has a viable ‘plan B’. In addition, data protection authorities generally consider consent insufficient when given by employees because their subordinate position in relation to employers means it cannot be freely given.
10. Will there be a new Safe Harbor regime?
Relevant bodies on both side of the Atlantic, including the Article 29 WP and European Commission, have urged the swift negotiation and agreement of an improved 'Safe Harbor 2.0'.
The Commission issued a statement on 26 October 2015 acknowledging agreement with the US 'in principle' but highlighting that issues remain as to how such commitments will be made binding enough to fully meet the Court's requirements. It remains to be seen how quickly this can be turned into a new data transfer mechanism, given the need to provide for US legislative action and scrutiny by various European bodies (including the Article 29 Working Party, the Commission and (most likely) the European Parliament).
11. Are data transfers from other countries to the US affected?
The Swiss Data Protection Authority (FDPIC) has confirmed in a statement that until Switzerland negotiates a new framework with the US, the US-Swiss Safe Harbor regime no longer provides a valid legal basis for transatlantic data transfers. The FDPIC does not explicitly mention the prospect of enforcement action but calls upon businesses to adapt/implement contracts with US companies before the end of January 2016. They also commit to coordinating with other European DPAs to determine what other actions may be required to protect the fundamental rights of individuals.
The Israeli Data Protection Authority (ILITA) has also announced that, in light of the decision, the Safe Harbor regime can no longer provide a legal basis for transfers of personal data from Israel to the US. Organisations should implement alternative legal bases diligently, which are not affected. These include: (1) the consent of individuals; (2) where the transfer is from an Israeli parent company to a foreign subsidiary; or (3) where the data importer enters into an agreement with the data exporter to comply with Israeli data protection law. In addition, data exporters must always obtain a written undertaking from the data importer that they will implement sufficient safeguards to protect individuals’ privacy rights and refrain from any onward transfer in its own country or any other country.
Given the statements of the authorities above, and the likelihood that other non-EEA DPAs will take a similar stance, it would not be advisable to rely on any form of Safe Harbor framework, wherever the data is being transferred from.