On October 6, 2015, the Court of Justice of the European Union declared invalid the U.S.-EU Safe Harbor framework, which was originally developed by the U.S. Department of Commerce and adopted by the European Commission on July 26, 2000. The framework has been relied upon by thousands of U.S. businesses as a means of ensuring that transfers of employee, consumer and other user data from the EU to the U.S. for storage or processing are compliant with the EU’s data privacy rules.
In the short run, companies that have relied upon the Safe Harbor framework will need to execute EU Standard Contractual Clauses. In the long run, the U.S. and the EU may be able to negotiate a new Safe Harbor program, but that may also require legislation amending the USA PATRIOT Act or the negotiation of intergovernmental agreements.
We’ll be talking about this issue in greater length at our upcoming Data Solutions Symposium in the session entitled “Contracting for Privacy and Security,” on October 23, 2015.
Background on the U.S. – EU Safe Harbor Program
The EU’s privacy protections are much more stringent than those of the U.S. Under the EU Data Protection Directive, EU Member States must protect the fundamental rights and freedoms of natural persons and in particular their right to privacy with respect to the processing of personal data. Moreover, Member States must provide that the transfer to a third country of personal data, which are undergoing processing or are intended for processing after transfer, may take place only if the third country “ensures an adequate level of protection.” The European Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. If the Commission finds that a third country does not ensure an adequate level of protection, Member States must take necessary measures to prevent any transfer of personal data undergoing or intended for processing to the third country in question.
Upon its review of U.S. privacy law, the European Commission concluded that the United States did not provide an adequate level of protection. In response, the U.S. Department of Commerce negotiated the Safe Harbor framework with the European Commission. The Safe Harbor framework bound all EU Member States to the European Commission’s finding that the safe harbor creates a presumption that U.S. companies in compliance with the Safe Harbor provides an adequate level of protection of personal data. An organization’s decision to qualify for the safe harbor is entirely voluntary, but the rules are binding for those who signed up.
The Schrems Case
The Safe Harbor program’s presumption of adequacy was challenged in 2013 by an Austrian citizen named Maximillian Schrems, who has been a Facebook user since 2008. As is the case with all other Facebook user-subscribers residing in the EU, some or all of the data provided by Mr. Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr. Schrems filed a complaint with the Irish supervisory authority, arguing that the law and practice in force in the United States did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in the U.S. by the public authorities, in light of the revelations made in 2013 by Edward Snowden concerning the activities of the U.S. intelligence agencies and, in particular, the National Security Agency.
The Irish authority initially rejected the complaint on the grounds that the Commission-approved Safe Harbor framework ensured an adequate level of protection for personal data that was being transferred. Mr. Schrems then brought an action before the High Court of Ireland, challenging that decision. The High Court found that the electronic surveillance and interception of personal data transferred from the EU to the U.S. served “necessary and indispensable objectives in the public interest,” and that the revelations made by Mr. Snowden had demonstrated a “significant over-reach” on the part of the NSA and other federal agencies. The High Court, however, wished to ascertain whether the Commission’s 2000 decision had the effect of preventing a national supervisory authority from investigating a complaint alleging that the U.S. does not ensure an adequate level of protection. The High Court thus stayed the proceedings and referred the issue to the EU Court of Justice for a preliminary ruling.
In examining the validity of the Safe Harbor framework, the Court observed that the safe harbor is applicable solely to the U.S. organizations that adhere to it and U.S. public authorities are not subject to it. Furthermore, national security, public interest and law enforcement requirements prevail over the Safe Harbor framework, so that U.S. organizations are bound to disregard, without limitation, the protective rules laid down by the framework where they conflict with such requirements. The U.S. Safe Harbor scheme thus enables interference by U.S. public authorities with the fundamental rights of persons.
The Court also found that the U.S. Safe Harbor legislation does not provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data. The 2000 decision also denied the supervisory authorities their powers of investigation where a person brings a claim that calls into question whether a Commission decision that has found that a third country ensures an adequate level of protection is compatible with the protection of privacy and the fundamental rights and freedoms of individuals. The Commission did not have the competence to restrict the national supervisory authorities’ powers in that way. Therefore, the Safe Harbor Decision was invalid.
Implications
Now that the Safe Harbor framework has been invalidated, what should businesses that receive data from the EU do? The EU provides other mechanisms, besides the Safe Harbor, for transferring data across borders. These include using EU Standard Contractual Clauses and the adoption of Binding Corporate Rules. But these mechanisms may also come under scrutiny—and at least one data protection authority in Schleswig-Holstein has called into question whether data can be transferred to the United States under any circumstances.
For now, at least, EU Standard Contractual Clauses and Binding Corporate Rules are still a viable alternative. The EU’s Article 29 Working Party, which is comprised of data protection authorities from all EU Member States and provides guidance on compliance with the EU Data Protection Directive, issued a statement on October 16, 2015, that it will consider EU Model Contracts and Binding Corporate Rules as valid transfer tools until at least the end of January 2016. During that time, the Working Party is calling on EU Member States and EU Institutions to open discussions with the U.S. to find political, legal and technical solutions to the issue. This may require legislation in the U.S. amending current law on government surveillance programs, or at least some intergovernmental agreements on how these programs will apply to EU residents. If the governments cannot find a solution by then, the Article 29 Working Party will revisit whether these mechanisms may still be used.
Companies that have relied on the Safe Harbor framework should now turn to the EU Standard Contract Clauses as the mechanism to allow transfer of data from the EU to the United States. While Binding Corporate Rules are theoretically an option, they require approval by EU data protection authorities, which can take years. For the short term, the EU Standard Contract Clauses are the only viable alternative. But, keep in mind that the Schrems decision opens up every cross-border transfer to potential investigation by an EU data protection authority.
If you have questions about this decision and its impact on your business, please contact Norbert F. Kugele (nkugele@wnj.com or 616.752.2186), Dawn G. Ward (dward@wnj.com or 616.396.3039), or any other member of Warner’s Data Solutions Group.