On October 6th, the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner (“Schrems”) declared “invalid” a decision of the European Commission that the United States-European Union Safe Harbor framework (Safe Harbor) provides adequate protection for personal data transferred from the European Union (EU) to the United States (U.S.). Thousands of U.S. companies have registered with the U.S. Department of Commerce in order to permit the transfer of personal data from the EU to the U.S.
The EU’s 1995 Data Protection Directive (Directive) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the Commission of the European Communities, U.S. companies participating in Safe Harbor have been deemed to be meet adequacy standards. Advocate General (AG) Yves Bot of the CJEU issued an opinion in September (“AG Opinion”) calling that 2000 decision invalid. AG Bot’s opinion declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union” because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolution providers have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies. AG Bot stated his belief that, even with an adequacy decision, national Data Protection Authorities retain the power to assess the sufficiency of national data protection regimes outside the EU to which personal data will be transferred.
In Schrems, the CJEU, shortly following the AG Opinion, considered the following two questions:
- Are national DPAs bound by adequacy findings of the European Commission with regard to the transfer of personal data to a third country outside the EU?
- May or must a national DPA conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision if a complaint from a data subject regarding the transfer is received?
In responding to the two questions, the CJEU largely agreed with AG Bot’s opinion, though in language more temperate than the Bot opinion. The CJEU opinion states that:
a decision adopted pursuant to Article 25(6) of [the Data Protection Directive], such as [the decision on adequacy for the Safe Harbor framework], by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
The CJEU found that the “term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of [the Data Protection Directive] read in the light of the Charter.” In light of well-publicized revelations regarding intelligence gathering by U.S. government agencies and that some of that intelligence gathering involved information transferred by companies from Europe to the U.S., the CJEU found that adequate protections for personal data could not be “ensured” in the U.S. for personal data transferred under Safe Harbor.
Negotiations are underway for a new Safe Harbor. The Obama Administration stated that it is “deeply disappointed” with the CJEU decision with Commerce Secretary Prizker noting that the decision “creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.”
Impact to Clients
Business entities currently relying on Safe Harbor as a transfer mechanism for personal information will need to evaluate alternative transfer mechanisms. Model contracts (contracts containing standard contractual clauses approved by the European Commission) are a viable alternative, however, multiple contracts may be required to effectively cover all of the transfers addressed by a single Safe Harbor certification. While data subject consent is another option, businesses should be aware that Data Protection Authorities and the Article 29 Working Party (which provides guidance on implementing EU Data Protection requirements) generally do not approve of consent as a transfer mechanism for large volume or repeating transfers of EU-sourced personal information. Binding Corporate Rules (BCRs) may provide a longer option, but their scopes of implementation and requirement for national DPA approval make them impractical as an immediate solution.
While the consensus appears to be that there will be some grace period for business entities to adjust to the ruling, those individuals responsible for compliance with privacy and data protection requirements should move swiftly toward an acceptable method for moving personally identifiable information from the EU to the U.S.