European Court Invalidates Safe Harbor for Transatlantic Personal Data Transfer
What Happened?
An October 6, 2015 decision by the European Court of Justice (ECJ) could significantly alter the framework by which U.S. companies transfer data across the Atlantic, as the ECJ found the EU-U.S. Safe Harbor framework (the Safe Harbor) to be invalid, effective immediately. The Safe Harbor, which has been relied on by thousands of U.S. companies with transatlantic operations, including e-commerce sites with European customers, previously provided means by which these companies could ensure compliance with the very strict EU Data Protection Directive (Directive), which governs the protection and transfer of personal data in Europe. The ECJ’s recent ruling eliminates the Safe Harbor as an option for compliance and raises numerous questions regarding the transfer and protection of personal data by U.S. companies with operations or customers in Europe.
What Does it Mean?
With this new decision, the ECJ has made it clear that the Safe Harbor does not, in fact, provide an adequate level of data protection in light of its inability to prevent U.S. intelligence and other government agencies from accessing personal data that has been transferred from Europe. Additionally, the decision held that the U.S. does not give EU citizens the opportunity to judicially challenge data supplied to government agencies. By invalidating the Safe Harbor, the ECJ has outlawed the countless transfers of personal data from Europe to organizations in the U.S. that currently are made in reliance on the Safe Harbor. Certain types of organizations will be impacted immediately by this ruling, including organizations with operations, personnel or subsidiaries in Europe and U.S. companies who receive data from European customers. This would include U.S.-based e-commerce sites that gather personal data from their customers in the EU.
Many organizations with operations, personnel or subsidiaries in Europe have relied on the Safe Harbor to facilitate data transfers within their corporate umbrella from European subsidiaries to a U.S. affiliate or parent company. With the Safe Harbor no longer valid, these entities will need to find new ways to legitimize the transfer of personal data within their corporate umbrellas. Additionally, U.S. companies who obtain personal data from their European customers as part of their operations, including U.S.-based e-commerce sites, must also take action to address the invalidation of the Safe Harbor.
What Can You Do?
In the meantime, there are certain actions that these companies would be advised to consider if they plan to continue their transatlantic data transfers, including:
- Determining what data is currently being transferred from the EU into the U.S. in reliance of the Safe Harbor, and whether there is a current business need for the transfers to continue;
- Investigating other adequacy mechanisms, such as Binding Corporate Rules (BCRs) or the European Commission’s Standard Contractual Clauses. BCRs allow organizations to develop and adopt internal privacy policies that mandate European-style data protections across the entire organization. Once approved by the proper authorities, a privacy policy containing BCRs allows a company to engage in data transfers without having to seek approval for each transfer. However, due to the lengthy approval process associated with BCRs, the Standard Contractual Clauses, which can be incorporated into data transfer agreements and provide adequate safeguards under the Directive in the absence of an adequate level of protection being provided by the third country (in this case, the U.S.) may be the most viable option;
- Evaluating agreements with vendors who are representing their organization as Safe Harbor compliant and assessing options; and
- Evaluating whether it is practical to seek consent from all individuals whose information is collected in Europe. This option may be particularly viable for organizations that are handling a very small amount of data relating to EU Data subjects. For larger numbers, this option may be cost prohibitive and difficult to implement.
What Does the Future Hold?
The European Commission recently stated that it believes the ECJ’s ruling confirms the need to renegotiate the Safe Harbor. The EC intends to issue "clear guidance" on how to deal with data transfer requests to the U.S. to create a consistent approach during this state of flux. Recently, the Article 29 Data Protection Working Party met to discuss the impact of the ruling, issuing a press release which indicated that there will be a pseudo-grace period prior to full-scale enforcement, and European Data Protection Authorities (DPAs) will begin taking coordinated enforcement action if, by the end of January 2016, no appropriate solution or compromise with U.S. authorities has been reached. In the meantime, DPAs are authorized to investigate instances on a case-by-case basis and may use their enforcement powers to protect individuals who allege that their personal data is not being adequately safeguarded.
Waiting for more definitive guidance may be the wisest decision at this time. There is, however, no way to know when or if the U.S. and the EU will attempt to negotiate a new version of the Safe Harbor that complies with the ECJ’s ruling. In the meantime, counsel should be retained to assist in reviewing contracts to ascertain the impact of the ECJ’s ruling on a company-by-company basis.