The Court of Justice of the European Union ("CJEU") ruled yesterday in case C 362/14 that the Safe Harbor Agreement, on which a vast number of companies have based their cross-border transfers of personal data to the US, is invalid with immediate effect. The judgment also results in more uncertainty on the legality of data transfers to other non-EEA countries that the EU Commission has whitelisted for being considered to provide an adequate level of protection. The judgment means that at least businesses that use Safe Harbor must immediately review how they ensure that data transfers over-seas comply with EU data protection laws.

What and why?

As a main rule, transferring personal data outside the borders of the EEA is prohibited. However, data transfers are allowed if the third country concerned ensures an ‘adequate level of protection’ (e.g., US companies certified under the Safe Harbor regime) or if there is another legal basis for doing so under the EU Data Protection Directive for the cross-border transfer (e.g., through the use of model clauses approved by the Commission or by obtaining the consent of the data subjects).

Thousands of companies have relied on Safe Harbor certification to transfer personal data from the EEA to the US, and over 4,000 US companies are Safe Harbor certified. The legitimacy of this decade-old data transfer program was quashed over-night with immediate effect.

On 6 October 2015 the CJEU decided a landmark privacy case initiated by an Austrian law student Max Schrems against the Irish data protection authority. Schrems had challenged Facebook's cross-border data transfer practices under the Safe Harbor regime before the Irish data protection authority due to Edward Snowden's revelations concerning US government mass-surveillance programs. To summarize, the CJEU:

  • declared the European Commission's Safe Harbor decision invalid, and
  • confirmed that national data protection authorities may investigate complaints alleging that a third country does not ensure an adequate level of personal data protection and suspend or prohibit the transfer of personal data, even though the European Commission would have found such country to offer adequate protection of personal data.

The main reason for the CJEU's findings relates to the compromising of fundamental rights and freedoms of EU citizens. The Court noted that "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life".

Following the judgment of the CJEU, the Irish Data Protection Commissioner is required to examine, whether the transfer of data of Facebook’s European users to the U.S. should be suspended given that the level of protection provided by the US for data transferred under the Safe Harbor Framework is no longer adequate.

What are the consequences?

The judgment inevitably has major consequences for companies regularly transferring personal data overseas (e.g., US-based global companies and their EU-based subsidiaries in relation to HR data; US-based cloud service providers that base their standard offering on Safe Harbor; EU-based companies who have their servers overseas, etc.). 

However, in addition to a US entity’s Safe Harbor certification no longer being a valid legal basis for data exports to the US, data exports to other non-EEA countries considered by the European Commission to have an adequate level of protection may now also be questioned by national data protection authorities. The EU Commission has so far recognized Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US under the Safe Harbor regime as providing an adequate level of protection.

Furthermore, it is likely that Max Schrems' example and the CJEU's interpretation of the powers of national data protection authorities in cases of complaints, will increase the number of complaints against companies' data transfer practices by data subjects and privacy advocacy groups.

How should companies react?

US and European companies should immediately analyze their cross-border data flows to the US including reviewing their supplier chain. Some companies may not be aware of all the types of data they transfer. For compliance purposes, companies should map what kinds of data they transfer, identify the data subjects (customers, employees etc.), and estimate the quantities of transferred data. To the extent they have relied on Safe Harbor only in connection with data transfers, companies should consider alternative mechanisms to legalize their data transfers. For example, the following alternatives may be available, but each of them also have certain disadvantages:

  • EU Model Contract Clauses (disadvantage: Compliance secured only if used in unaltered form; approved model clauses not yet available, e.g., in processor-to-processor situations. It is also uncertain whether the clauses provide a sufficient level of protection for the data subjects, as the same intrusive laws may apply to them as well).
  • Binding corporate rules allowing intra-group transfers (disadvantage: There is a rigorous process to implement such policies and the process is likely to require up to two years to complete).
  • Prior express consent of the data subjects (disadvantage: May not be a feasible solution in practice, because consent may be revoked at any time (preventing any further transfer of data) and is not considered valid if not freely given. For example, in an employment context it may be difficult to rely on consent considering the employee's dependency on the employer).
  • (If it is not necessary, companies should refrain from transferring data to the US, especially sensitive data. If the legal uncertainty persist for an extended period of time, companies may consider other options like building a data center or negotiating data processing agreements with service providers in the EEA to circumvent the issue altogether (disadvantage: Limitedly available solution for companies due to existing infrastructure or economic constraints).)

It remains to be seen how fast and to what extent enforcement authorities will start scrutinizing companies' compliance in cross-border data transfers. There may however be some leeway and understanding by the authorities during a short transitional period: For example, the UK authority, the Information Commissioner's Office, announced immediately after the ruling that they recognize that companies will need some time to find alternative transfer mechanisms. Furthermore, the Article 29 Working Party announced that they will shortly schedule meetings to provide a coordinated analysis of the judgment and to determine the consequences for data transfers.

Will the law change first or could there be a political solution ("Safe Harbor 2.0")?

Although companies should take no risks while awaiting for further guidance from authorities and legislators, but start preparing for the alternative measures immediately, a political solution may be forthcoming in the near future – possibly in the form of "Safe Harbor 2.0". The EU Commission and US authorities have advanced well in their on-going negotiations relating to the replacement of the old Safe Harbor regime. Further, negotiations for an umbrella agreement between the US and EU relating to law enforcement cooperation have recently been completed. On the other hand, as the Court's ruling sets a high threshold for surveillance activities, it may be difficult to find political solutions in the short term and to finalize "Safe Harbor 2.0".

In the meantime, the European Parliament, the Commission and the Council are conducting negotiations with the optimistic goal of having the new EU Data Protection Regulation finalized by year end. It is possible that the new regulation, once in force after a two-year transitional period, will provide greater flexibility in legitimizing cross-border data transfers. On the other hand, the data protection regulation will give even more power to DPAs in terms of enforcement, and financial sanctions for non-compliance may be severe if the proposal of introducing fines of up to 2-5 % of a company's global annual turnover is implemented.

In summary, this decision entails great uncertainty for companies, and the judgment may even put the thriving transatlantic digital economy at risk, as noted by the US Department of Commerce. However, US authorities have announced that they are "prepared to work with the European Commission to address uncertainty created by the court decision" so that the companies who have complied "in good faith" with the framework can continue to thrive.