The recent ground breaking decision of the European Court of Justice (“ECJ”),Maximilian Schrems v. Data Protection Commissioner (case C-362/14), has left U.S. entities, involved in operations in the European Union (EU) in a state of uncertainty, requiring them to undertake immediate action to ensure cross-border personal data transfers are compliant.
Under EU law, personal data cannot be transferred to a country outside European Economic Area, unless that country can provide an “adequate level of protection” for personal data. For more than a decade, the U.S.-EU “Safe Harbor” scheme, under EU’s Data Protection Directive (Directive), allowed U.S. companies to get self-certified, in order to receive and transfer personal data from EU member states. Self-certification allowed U.S. companies to bypass individualized compliance imposed by each individual EU member state’s directive to transfer data. The Directive was imposed due to the fact that the U.S. was not certified by the EU as a country that provides an “adequate level of protection” of personal data received from the EU.
Click here to view the image
In the Schrems case, an Austrian law student, Max Schrems, challenged the Irish Data Protection Commissioner’s claim that the Safe Harbor agreement precluded the agency from stopping the transfer of the data on his Facebook account from Ireland to the U.S., despite the fact that Facebook is a company which participates - or better, participated - in the Safe Harbor regime. The ECJ ruled on two issues:
- The validity of the Safe Harbor regime in the context of the data transfer to the U.S.
- Whether national data protection authorities within the EU can suspend international data transfers (despite the fact that the European Commission (”EC”) has made a ruling that the receiving country’s protection is adequate).
For the first issue, the ECJ held that the Safe Harbor regime actually does not provide “adequate protection” as decided by the EC in 2000 and declared the EC’s decision invalid. This ruling removes the basis of the Safe Harbor assumption created by the EC and lists several deficiencies of the Safe Harbor regime, including that “national security, public interest or law enforcement requirements have primacy over the Safe Harbor principles…” The court reasoned that the Safe Harbor regime lacked the requisite guarantees of privacy protection, allowing the U.S. to have large scale collection and transfer of personal data with no effective judicial protection for EU citizens.
On the second issue, the ECJ ruled that the data protection authorities in EU member states could suspend such transfers, despite a previous ruling of adequacy by the EC. The result now allows individual EU member states to implement their own data transfer regulations and supervise data transfers through their own data protection authorities. The consequence: if a U.S. entity tries to transfer data out of multiple EU member states, they would most likely comply with different sets of national data-privacy regulations of the respective EU member states.
The ECJ ruling is effective and enforceable immediately. Currently, the ECJ ruling does not provide a clear guideline for U.S. based companies on how to deal with data transfers. However, at a recent EC press conference, the Commission promised to “come forward with clear guidance for national data protection authorities on how to deal with data transfer requests to the U.S., in the light of the ruling.”
In the meantime, there are several steps a U.S. entity could undertake to assure compliance (as best as possible):
- Collect inventory: identify any arrangements that rely on Safe Harbor protection as an initial risk assessment. Prioritize the most important data transfers and attempt to attain compliance by amending contracts and agreements.
- Consider alternatives:
- Approved model contracts: enter into data transfer agreements based on EU approved Commission’s model contract clauses. These clauses are generally inflexible, which requires close attention when negotiating with EU data exporters.
- Obtain consent: EU data protection laws allow transfer of personal data where explicit consent of the affected individual(s) is obtained. This is can be extremely burdensome process, as such consent must be fully informed, voluntary and unambiguous to be valid, and unlikely to work for bigger organizations.
- Adopt Binding Corporate Rules (BCR): for U.S.-EU intra-company data transfers, they could consider to implement and obtain approval from relevant EU member states’ data protection authorities of the BCR. However, the process of implementing BCR is expensive, time consuming, and difficult, but could work well for larger organizations.
We believe that the practical implications of the suspension of the Safe Harbor regime without any kind of transitional grace period will most likely be taken into consideration by the EC and national data protection authorities when it comes to enforcement during this time period, since up until now, companies, in good faith, have relied on the Safe Harbor rules and have to wait for the “clear guidance” that the Commission will issue in the near future. In light of the ECJ ruling, U.S. entities should consider whether any steps can be undertaken to mitigate any enforcement risk by following alternatives, reviewing existing privacy policies, avoid collecting sensitive data not critical to the company’s business and by reviewing existing vendor or customer agreements.
We are monitoring this development and working with our State Capital Group alliance partners in the EU to assist our U.S. based clients on implementing best practices for navigating issues as a result of the ECJ ruling.