The CJEU’s surprise invalidation of Safe Harbor as a means of transferring personal data to the US continues to create challenges for European and US organisations including the pharmaceutical industry. We look briefly at the effects of the decision and how things may change in the coming months.
In October 2015, the Court of Justice of the European Union (the “Court”) declared the Safe Harbor arrangement between the EU and the US, which allowed personal data to be transferred to US companies, to be invalid. Whilst the decision may not have slowed the movement of data from the US, it has made it harder for many companies to conduct these transfers whilst complying with EU data protection law.
By way of some background, Article 25 of the EU Data Protection Directive (the “Directive”) restricts transfers of personal data outside the EEA, unless certain conditions are met. One of these conditions is that the receiving country ensures an “adequate level of protection” for the data. The Directive gives the European Commission the power to decide that a third country ensures an adequate level of protection, by reason of its domestic law or the international commitments it has entered into.
In 2000, the Commission issued one such decision in respect of the US-EU Safe Harbor framework, deciding that compliance by US companies with the Safe Harbor principles provided an “adequate level of protection” for data transferred from the EU.
After the Snowden revelations regarding the National Security Agency’s mass data gathering and surveillance activities, an Austrian student called Max Schrems raised a complaint with the Irish Data Protection Authority (“DPA”) regarding Facebook’s data transfers under Safe Harbor. The Irish DPA then issued a referral to the Court, asking whether the Commission’s decision in respect of Safe Harbor itself was invalid in light of the Snowden revelations.
The Court declared the Commission’s adequacy decision invalid. However, rather than criticising the Safe Harbor principles themselves, the Court focused on a derogation in the Safe Harbor Framework. The derogation stated that a company did not need to comply with the principles to the extent necessary to meet national security, public interest, or law enforcement requirements, or in the case of conflicting legal obligations.
The Court found that this derogation enabled US government agencies, who were not themselves subject to Safe Harbor, to process personal data in a way incompatible with the privacy and data protection rights which the Directive was intended to uphold.
Since the decision, data controllers (and data processors looking to assist their customers), have been working to in put in place alternative data transfer solutions. The most commonly adopted solution has been the Model Clauses, but applications for Binding Corporate Rules and ad hoc clauses have also increased.
The DPAs issued a joint statement shortly after the decision giving organisations until the end of January this year to ensure their transfers were compliant. After the January deadline, some DPAs are expected to be more active than others in terms of enforcement – the UK Information Commissioner’s Office has indicated it will be adopting a relatively light-touch approach. Historically, enforcement of the data transfer restrictions has been low across Europe, and it will be interesting to see if this changes.
In the meantime, unfortunately there are no signs that agreement on the new “Safe Harbor 2.0” is imminent. Schrems has also indicated that he will also be challenging the Model Clauses on similar grounds to Safe Harbor. Whether he is successful or not remains to be seen, but it seems likely that the rules on data transfers will continue to be in a state of flux for some time.