Keep up to date with our blog articles, latest news and industry developments. See below for the latest posts or use the category listings to hone your search for stories of interest.
US-EU Safe Harbor declared invalid for transferring personal data
In the immediate aftermath of the CJEU’s finding that Safe Harbour is invalid, we consider the impact on, and options open to businesses.
On 6 October 2015, the Court of Justice of the European Union (CJEU) delivered its decision in the case of Maximillian Schrems v Data Protection Commissioner (Case C-362/14), finding that the US-EU Safe Harbor scheme does not adequately protect personal data. The CJEU also held that European Union (EU) data protection authorities are not prevented from investigating individual complaints where the European Commission (Commission) has published a relevant decision on the transfer of personal data.
For the past 15 years, many businesses were able to rely on Safe Harbor as a means to comply with EU data protection law when transferring personal data from the European Economic Area (EEA – the EU member states plus Iceland, Norway and Liechtenstein) to Safe Harbor compliant businesses in the US. Now that Safe Harbor has been swept away, businesses that transfer personal data from the EEA to the US will need to find alternative ways to ensure that they continue to comply with EU law, against a backdrop of major reforms to the European data protection regime.
The CJEU decision criticised certain aspects of the Safe Harbor regime which were not compliant with EU data protection law, such as the ease and extent to which US intelligence agencies could access personal data and the fact that US public authorities were not required to comply with the Safe Harbor regime.
However, the CJEU did not attack the adequacy of the protections which US businesses wishing to join the Safe Harbor scheme are required to certify compliance with, namely the 7 Safe Harbor Privacy Principles and relevant FAQ’s. This may be of some comfort to US businesses, as wholesale changes to the systems for processing personal data from the EEA to ensure ongoing compliance with the Data Protection Directive 95/46/EC (Directive) may not be necessary.
We set out the background to the CJEU decision below, together with commentary on how businesses might navigate this new legal environment.
Under the Directive, personal data may only be transferred from the EEA to a third country if that third country provides an adequate level of protection for that data. The Safe Harbor scheme is an agreement between the US Department of Commerce and the European Commission under which US businesses may self-certify that they will adequately protect personal data transferred to it from the EEA. In 2000, the Commission published a decision stating that the Safe Harbor scheme could be relied upon as a means to comply with the data-transfer requirements in the Directive. Since then, over 5,000 companies have self-certified, with Safe Harbor being heavily relied upon by providers of consumer social media services and cloud-based ICT services among others.
Max Schrems, an Austrian citizen and Facebook user, complained to Irish data protection authorities about the transfer of his personal data to Facebook’s servers in the US. In the wake of the Edward Snowden revelations concerning the covert activities of the US intelligence agencies, Mr Schrems claimed that the US does not provide sufficient protection of EU citizens’ personal data. The Irish authority rejected his complaint on the basis of the Commission’s decision as to the adequacy of Safe Harbor.
The High Court of Ireland referred the matter to the CJEU, seeking clarification as to whether the Commission’s Safe Harbor decision prevents national data protection authorities from investigating complaints concerning data transfers to the US.
The CJEU ruled that the Commission’s decision is invalid. It observed that in 2000 the Commission had merely examined the terms of the Safe Harbor scheme, and had not analysed wider US law to ensure that adequate protection would be provided. The CJEU pointed out that if the Commission had conducted such an analysis, it would have found certain weaknesses in the scheme. For example, Safe Harbor applies only to US businesses, and not to US public authorities. Furthermore, US national laws prevail over Safe Harbor, meaning that US businesses are bound to disregard Safe Harbor obligations where they conflict with US law. This means that Safe Harbor offered inadequate protection against the interference of the fundamental rights of EU citizens as to their data, leaving the door wide open to the surveillance uncovered by Edward Snowden.
The Irish data protection authority now has the green light to investigate Mr Schrems’ complaint, and decide whether the transfer of Facebook users’ personal data to the US should be suspended on the grounds that the US does not afford adequate protection of such data.
Alternative options for businesses
As mentioned above, the CJEU decision does not necessarily require all US Safe Harbor-certified businesses to change the measures and safeguards they have in place to protect the security of personal data transferred from the EEA. However, such businesses will be required to implement new procedures to ensure compliance with the Directive. We expect the EU’s independent data protection advisory body, the Article 29 Working Party, to issue associated guidance on the options available to US Safe Harbor-certified businesses and their EEA customers and group entities in the near future.
As for businesses established in the UK, the Information Commissioner’s Office (ICO), the UK data protection regulator, issued guidance following the CJEU ruling. It recognises that businesses that use Safe Harbor will need time to adapt to the shift in the law, assures businesses there will be no “knee-jerk” enforcement of the CJEU ruling and points out that there are alternatives to Safe Harbor. Although this will give businesses time to consider their options, it would be prudent to consider the position now before the dust settles.
The alternative compliance routes available depend on whether the transfer of data is business to business, or business to consumer. For business to business data transfers, alternatives include:
- incorporating the Commission-approved “Model Clauses” for transferring personal data into the agreement between the parties;
- adopting binding corporate rules (essentially an internal code of conduct for businesses which have been approved by the relevant EEA data protection authorities);
- the EEA data controller undertaking its own positive assessment that the transfer is in compliance with the Directive; and / or
- relying on obtaining the consent of the data subject to the transfer of their data outside the EEA.
Where the relationship is directly between an individual and a US business, the options are narrower. For example, it is not clear how “Model Clauses” can be relied upon where a US provider does not have an EEA entity collecting the personal data (which is often the case, for example, with US mobile app providers).
Although there are clear alternatives, they often have limitations compared to Safe Harbor. For example, if a business wishes to rely on individual consent, there may be practical issues in obtaining consent and, once obtained, the individual can revoke it later at any time.
Following the CJEU’s ruling, all companies which transfer or receive personal data from the EEA to the US, whether US data processors or their EEA group entities or customers, should review exactly what data flows take place within their businesses to enable them to make an informed decision on what alternative compliance routes could be implemented. It would also be a timely opportunity to take into account the data protection law reform proposals in the form of the draft General Data Protection Regulation (GDPR) (see our previous update on the GDPR here), which will replace the Directive within the next few years and hopefully make it easier to achieve compliant data transfers from the EEA.
There will be a flurry of activity in the coming weeks and months to address the demise of Safe Harbor in its current form, including the publication of revised guidance by the ICO and other European data protection bodies. There is also a possibility that Safe Harbor will be revised to make it a viable compliance option once again, as concerns over the effectiveness of Safe Harbor have existed for some time and the Commission and US authorities are already in an advanced stage of renegotiation of its terms.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.