Business implications of the ECJ’s ruling invalidating the “adequacy” of US Safe Harbor – updated

Agra, India --- Businessman Using Smart Phone by Taj Mahal --- Image by © Rolf Bruderer/Corbis

The European Court of Justice’s (ECJ) recent ruling on data protection Safe Harbor principles could have far-reaching implications for the protection of EU data subjects (including employees, clients and suppliers), particularly where the transfer involves “certified” companies that host and/or centralize large amounts of data that is potentially accessible by non-authorized US entities and authorities.

The Safe Harbor principles

The EU Data Protection Directive provides that the transfer of personal data to a non-EU country may, in principle, take place only if that country ensures an adequate level of data protection approved by the European Commission (EC). While the US does not have a comprehensive data protection law framework, the EC recognized the EU-US negotiated Safe Harbor principles in 2001 as providing the required level of protection (EC Decision 2000/520/EC). Safe Harbor-certified businesses were then legally permitted to import personal data from the EU.

The Schrems case

Austrian citizen, Maximilian Schrems, had been a Facebook user since 2008 and lodged a complaint with the Irish Data Protection Authority (DPA), alleging that US law did not offer sufficient protection of data exported from the EU against surveillance by US public authorities.

The Irish authority rejected the complaint on the basis that it was bound by the Safe Harbor scheme. In turn, the High Court of Ireland sought a preliminary ruling from the ECJ to determine whether a national DPA within the EU would be bound by the EC decision, or whether it could independently rule on a complaint concerning the level of adequacy of data protection of a non-EU country.

ECJ decision, 6 October 2015

The ECJ ruled that the Safe Harbor decision was invalid, on the basis that the EC did not consider US law to effectively “ensure” an adequate level of protection. The Court concluded that national data protection regulators in EU member states have full authority to examine whether a challenged data transfer complies with EU law. Ultimately the Court ruled that the Safe Harbor framework is therefore invalid.

The Irish DPA is now required to examine Mr Schrems’ complaint again to decide whether transfer of European Facebook users’ data to the US should be suspended on the grounds that the US does not afford adequate personal data protection measures.

Implications for businesses 

Businesses will now need to assess their strategies for cross-border transfers and consider comprehensive solutions such as so-called binding corporate rules (BCRs). BCRs are internal rules within the same group of companies that ensure compliance with EU data protection laws for the transfer and processing of personal data in countries with inadequate data protection protocols. It now falls upon the national EU DPAs to examine the legitimacy of the Safe Harbor principles.

This decision may be the trigger for review and renegotiation of the Safe Harbor principles in the context of ongoing negotiations between the EC and US authorities.

The Article 29 Data Protection Working Party (which includes all 28 EU data Protection Authorities), the European Data Protection Supervisor and an EU Commission representative will convene today, 15 October, with a view to reaching consensus on a consistent approach to the ECJ’s ruling.

New guidelines from EU Data Protection Authorities following ECJ Decision

On 16 October, the Article 29 Working Party disclosed the positions of all 28 Member States’ DPAs on the consequences of the ECJ decision. In short, the main takeaways are:

  1. Safe Harbor is not an appropriate vehicle for securing transfers of personal data from the EU to the US. Any transfer performed on this basis carried out after 6 October is deemed illegal, and there will not be a transition period even if, for practical reasons, we anticipate that enforcement may not start on a systematic basis before next January.
  2. EU Standard contractual clauses and BCR are still valid, although they may be adjusted.
  3. Amid uncertainty about the future and timetable of a new agreement, companies currently using the Safe Harbor framework are strongly encouraged to move to EU Standard contractual clauses and BCR mechanisms to handle recurrent and large transfers of personal data. If DPAs launch investigations, it will be important for companies to demonstrate that they have implemented or engaged in their best efforts to implement such legal vehicles to deal with transfers.