Today the European Court of Justice (“ECJ”) issued its Judgment in the Schrems case, and in doing so, added another tremor to the ongoing seismic shift related to cross-border privacy law. The two major elements of today’s Judgment are: 1) that Commission Decision 2000/520/EC of 26 July 2000 of the adequacy of the protection provided by the US Safe Harbor Framework (the “Safe Harbor Decision”) is invalid, and 2) even if the Safe Harbor Decision were otherwise valid, no decision of the Commission can reduce the authority of a national data protection authority to enforce data protection rights as granted by Article 28 of Directive 95/46/EC (the “DP Directive”).
Clearly, the first element brings a more immediate concern for all the companies participating in the Safe Harbor framework. However, the second element will have much longer term consequences for the stability of US-EU commerce and privacy law.
Validity of the Safe Harbor Decision
Over 4000 companies rely on the Safe Harbor Decision as the legitimate basis for transfers of data from the EU to the US. The unfortunate result of today’s Judgment is that such a basis for transfer is no longer valid as the ECJ has direct and retroactive effect on how the DP Directive should be interpreted. Therefore, companies need to determine an alternative basis for lawfully transferring their data to the US. Fortunately, there are ways to do this. Unfortunately, until such measures are taken, companies moving data between the US and the EU may be in breach of EU law.
Data Transfer Agreements
The Safe Harbor Decision is only one way to legitimize transfers of data to the US. In the consumer arena, consent to transfer is also a basis for transfer. Additionally, there are several other derogations to the Data Protection Directive which allow for transfers of data, many of which can be used in the e-commerce or consumer context. Most commonly, we see the use of data transfer agreements between the EU “exporting” entity and the US “importing” entity. These agreements are deemed “adequate” when they use the “Model Clauses” promulgated by the EU.
The more challenging context for US businesses is not in the consumer arena, but in the workforce arena, where consent is often not viewed favorably. Fortunately, this issue can be effectively managed via the use of Model Clauses between the US and EU counterparts of a company.
New Safe Harbor
While the Court invalidated the Safe Harbor Decision, it did give instruction on how to correct the deficiencies of the decision. In fact, the Court found the Safe Harbor Decision deficient not in the data protection principles, per se. The Court stated that “…without there being any need to examine the content of the safe harbor principles… Decision 2000/520 fails to comply with the requirements laid down in Article 26(6) of [the data protection directive]…”. One can take this to mean that the underlying concept of the data protection principles are not defective, merely the means by which the Commission issued its decision.
To this end, the Court found that the Safe Harbor Decision has several fatal flaws:
- it limited the National DPA authority to effectively hear claims that privacy rights were being violated,
- it did not contain a finding of existing domestic rules which would limit the interference with privacy rights which the US government is authorized to engage in (specifically bulk processing of personal data by US intelligence and law enforcement agencies), and
- it does not refer to existing legal remedies for unlawful interferences in privacy rights by the US government.
While it would seem that developing a Safe Harbor 2.0 might take an inordinate amount of time, work on this issue is already underway. In a press release today, the UK Information Commissioner’s Office (“ICO”) noted that “…negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement… [and] that these negotiations are well advanced.” Clearly, the Court has provided a roadmap to resolving the noted deficiencies in the Safe Harbor Decision.
Additionally, the new General Data Protection Regulation is poised to recognize “codes of conduct” (under Article 38) as a means to legitimize transfers of data (which is effectively what the Safe Harbor Decision does).
While the Judgment is going to create challenges in the short term, most businesses will have a way to ensure their data can still legally flow between the EU and the US. However, businesses who relied on the Safe Harbor Decision are going to need to take some action to make sure their data flows are legitimized outside the Safe Harbor Decision framework until a new agreement is reached between the European Commission and the US.
National Data Protection Authority Jurisdiction
The second element of the Judgment, which will continue to have farther reaching effects than just the invalidity of the Safe Harbor Decision, is the inability of the Commission to limit the ability of individual National DPAs from making a determination of “adequacy” (or lack thereof) for any transfer of data concurrently with the Commission. The effect of this element of the decision is poised to render any Safe Harbor agreement inconsistent in its enforcement.
As the National DPAs and the Commission are deemed to have concurrent jurisdiction in making adequacy determinations, it is quite possible that even where a new Safe Harbor agreement is in place, there is still the possibility that the individual DPAs will make determinations that the Safe Harbor will not be operative in that particular member state.
This inconsistency in application would seem to make it advisable for businesses to develop a blended approach to their data transfer practices. For example, use of consent for consumer data, and use of model contracts for workforce data. Additionally, the development of Binding Corporate Rules is going to take on a much more prominent role as a means of legitimizing cross-border transfers of personal data.
Regardless of the solution a business decides to take, the ECJ’s Judgment today will require a thorough review of how a business enables its data flows between the EU and the US.