Urgent Need to Consider Alternative Compliance Mechanisms
On Oct. 6, 2015, the European Court of Justice (CJEU) released its final judgment on the closely-watched U.S.-EU Safe Harbor (Safe Harbor) case, ruling that national Data Protection Authorities (DPAs) in the European Union (EU) retain the right to investigate complaints relating to the Safe Harbor and declaring that the Safe Harbor itself is invalid. This important decision will have a significant impact on the large number of companies currently relying on the Safe Harbor to comply with EU law regarding their EU-to-United States (U.S.) data transfers.
The EU has very high standards for privacy and data protection, and the transfer of data from the EU to another jurisdiction is permitted only if the receiving jurisdiction has “adequate” data privacy laws in the eyes of EU authorities. Among the countries that are deemed by the EU not to have adequate data protection laws is the U.S. Given the need of many multi-national businesses to transfer data from the EU to the U.S., in 2000, the European Commission endorsed the Safe Harbor regime, a relatively streamlined and cost-effective means for companies to voluntarily commit to a certain level of data protection in order to legally transfer personal data from the EU to the U.S.
The CJEU case that ultimately resulted in the invalidation of the Safe Harbor regime began with a complaint by an Austrian citizen to the Irish Data Protection Commissioner on the heels of Edward Snowden’s exposure of the U.S. National Security Agency’s surveillance programs. The Complainant argued that, based on these revelations, the U.S. offered no real protection against data surveillance and he sought to prevent transfers of personal data from the Irish server of a social networking company, which acts as the data controller for the company’s European users’ data, to the company’s servers in the U.S.
The Irish Data Protection Commissioner refused to investigate the complaint, stating that he was bound by the European Commission’s decision that the Safe Harbor provides adequate personal data protection for transfers to U.S. companies participating in the scheme. When the Complainant appealed this decision, the Irish High Court made a preliminary reference to the CJEU. The referred question was whether, in the light of the Safe Harbor agreement, national DPAs are able to block data transfers from the EU to the U.S.
The CJEU’s Judgment
The CJEU emphasized the importance placed on protecting EU privacy rights, notably those guaranteed in the EU Data Protection Directive and the European Convention on Human Rights. Following the Opinion of Advocate General Yves Bot of Sept. 23, 2015, the Court found that a European Commission decision does not prevent DPAs in EU Member States from exercising their powers of intervention, nor does a Commission decision reduce national authorities’ duty to assess compliance with EU data protection rules when it comes to the transfer of personal data to the U.S.
Moving significantly beyond the referred question, the CJEU then noted that the law and practice of the U.S. allows for the large scale collection of data without providing effective protection to individuals. The Court found that the current legal regime in the U.S. requires companies “to disregard, without limitation” the protective rules laid down by the Safe Harbor where they conflict with U.S. national security and public interest. The Court added that, as a result of the broad access by U.S. public authorities to personal data of EU citizens, the Safe Harbor regime compromises “the essence of the fundamental right to respect for private life,” thus rendering the regime invalid.
What to do?
Roughly 4,500 companies in a wide variety of industries currently rely on the Safe Harbor as a mechanism for complying with EU data protection laws. Given the renewed license to national authorities to review company compliance against domestic standards, companies now have dozens of legal environments to navigate. The prospect of massive enforcement actions against U.S. companies is unlikely in European countries with characteristically pragmatic regulators (such as those in Ireland and the United Kingdom). In such countries, a grace period will likely be granted to give companies time to revise their compliance programs without risking liability. Meanwhile, in countries where the Safe Harbor Framework has long been regarded with scrutiny, such as Germany, there may be an expectation among regulators that alternative arrangements should already be in place.
Prudent companies should therefore swiftly consider and adopt one of the other mechanisms accepted by the EU authorities for legally transferring data from the EU to the U.S. or other countries they deem to have inadequate data protection laws. There are three key options for companies to consider.
1. Standard Contractual Clauses
The European Commission is empowered to approve standard, non-negotiable contractual clauses that offer sufficient safeguards for privacy protection, without the need for DPA approval. These model clauses have been pre-approved, and enable personal data to be transferred from the EU to countries with legal regimes that do not meet the EU’s data protection standards. However, as a result of the CJEU’s judgment, national authorities in each EU Member State will now be poised to review any Commission decision on the adequacy of these clauses. Therefore, this approach may itself face scrutiny in the near future.
2. Binding Corporate Rules
Binding Corporate Rules (BCRs) are legally enforceable rules established by corporations specifically for international intra-group data transfers. The downside of BCRs is that they must be committed to the relevant national DPA for approval prior to any transfer. Only 21 countries in the European Economic Area (EEA) having agreed to a mutual recognition procedure within Europe for BCRs approved in other participating states. Further, receiving DPA approval for a BCR involves a lengthy procedure that can take anywhere from six to 18 months to complete. The time investment in receiving this approval is all the more reason for group companies to take active steps sooner, rather than later.
Companies also can secure the express consent of the data subject for future transfers from EU countries to the U.S. The data subject’s consent must be informed and freely given. Extra precautions should furthermore be taken to inform the data subject if sensitive personal data will be transferred. Relying on consent alone may not be practical in certain situations, and is both difficult and administratively burdensome for companies transferring en masse the personally identifiable data of a large number of individuals. Companies relying on user consent must keep records of the consent in the event of a legal challenge and must honor withdrawals of such consent, where applicable.
In determining what combination of these options offers the best safeguards in a given company’s situation, guidance documents are provided by DPAs in some EU Member States.
An alternate Safe Harbor currently is in the process of being renegotiated by the U.S. and EU, and this judgment will no doubt be incorporated into (and further complicate) the lengthy negotiation process. It is clear that the invalidation of the current Safe Harbor places tremendous pressure on negotiators to reach a new agreement quickly. In the interim, companies should consult with knowledgeable professionals and take advantage of one or more of the abovementioned data protection alternatives to ensure compliance until the new regime is implemented.