The Snowden revelation that the United States conducted surveillance on citizens of other countries has had significant impact, including on the transfer of personal data from the EU to the US. The latest impact comes from a decision by the EU Court of Justice (ECJ) that has effectively eliminated Safe Harbor as an option for EU-US data transfers.

EU Restrictions on Data Flows to the US

As we have reported in the past, the EU Privacy Directive (Directive 95/46/EC) prohibits the exporting of personal data out of the EU to other countries unless those countries’ laws provide “adequate protection” for personal information, with the EU determining what constitutes adequacy. The US privacy laws have historically not been viewed as providing adequate protection, which made USEU transfers of information difficult. Companies receiving information formerly had four options, they could: (1) enter into a transfer agreement using “model clauses”; (2) put in place binding corporate rules (which must be approved by an EU data protection authority); (3) get consent from the individual (this option is not always available, however); or (4) participate in a special EU-US “Safe Harbor” Framework that the European Commission determined to be adequate in Decision 2000/250. With this new decision, Safe Harbor is now off the table.

Schrems Files Suit: How We Got Here

As EU citizens became increasingly concerned over US surveillance activities, an Austrian citizen filed suit in Ireland (Schrems v. Data Protection Commissioner) arguing that Facebook Ireland should not be permitted to send his information to the US. In particular, he feared that his information would fall into the hands of the US government. The Irish Data Protection Commissioner rejected Schrems’ complaint, largely on the grounds that the EU Commission had already decided that the Safe Harbor Framework provided “adequate protection” for purposes of the EU Privacy Directive. Schrems appealed to the Irish High Court. While he did not specifically state as such in his appeal, he was effectively challenging the validity of the EU-US Safe Harbor Framework. The Irish High Court stayed the proceedings and asked the ECJ for a preliminary ruling as to whether the Irish Data Protection Commissioner could, in fact, look at the underlying adequacy of the EU-US Safe Harbor Framework, notwithstanding the EU’s prior determination that it was in fact adequate.1

Yesterday, the ECJ issued its ruling, concluding that Decision 2000/250 is invalid (and the Safe Harbor program not adequate) for two key reasons. First, the ECJ found the decision invalid because it failed to take into account whether or not the United States “‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments.”2 Second, the ECJ took issue with the decision because it improperly attempted to restrict the national authorities’ powers to determine if a non-EU country provided adequate protection. The ECJ’s ruling concludes that notwithstanding any EUlevel decision, supervisory authorities (like the Irish Data Protection Commissioner) in Member States could examine claims in which individuals argued that the transfer of their data was going to a country that did not provide adequate protection.3

The ECJ noted that while the Irish Data Protection Commissioner can and should take cases that question the validity of an EU Commission decision—as here, where Schrems’ claim questioned whether the EU Commission properly determined that the Safe Harbor Program was adequate—only the ECJ could actually invalidate such an EU Commission decision4 . And in this ruling, the ECJ did just that.

The Impact on EU-US Data Transfers and Safe Harbor Participants

This decision places a burden on companies who rely on Safe Harbor as the basis for personal data transfers. US companies indicate in their privacy policies and on the US Department of Commerce website their compliance with the Program’s provisions. They still have statements about their compliance on their websites. Should they take such statements down? What should they do about their listing with the Department of Commerce? As of this writing, the US Department of Commerce continues to maintain the list of US companies that have self-certified their compliance on its Safe Harbor website: Will the Department of Commerce list come down? What about EU companies that have been exporting to US companies that participate in the Safe Harbor Program? These questions will no doubt be asked. As of yet, they have not been answered.

For now, it seems unlikely that Member States will take immediate action against companies that have transferred data while relying on the EU-US Safe Harbor Framework. Indeed, the Deputy Commissioner for the UK Data Protection Authority has indicated that the ICO “recognise[s] that it will take some time” for businesses that use Safe Harbor to review how they ensure that data transferred to the US is in accordance with the law. It similarly seems unlikely that the Department of Commerce will take down its listing of Safe Harbor participants. Instead, discussions to find a solution are reported as ongoing between the US and EU.

Next Steps for Those Making EU-US Data Transfers

In the immediate future, EU-based companies transferring data into the US may seek to have the US recipients of personal data execute model contracts, even if the US company has indicated its participation in the Safe Harbor Program. US companies should be prepared for such a request. US companies relying on Safe Harbor should thus begin to explore alternate approaches to obtain personal data from the EU.

TIP: We anticipate this decision will be highly scrutinized and reported on in the coming weeks, with its impact on US-EU commerce hotly debated. Negotiated solutions between the US and EU may also be forthcoming, although a political solution is unlikely to be in place soon. For now, companies who relied on Safe Harbor as their method of transferring personal data from the EU to the US will want to consider putting in place an additional method—like a model contract or binding corporate rules—to avoid the exposure to a potential Member State enforcement action.