Last Tuesday, the European Court of Justice (ECJ) invalidated the US-EU Safe Harbor framework in Schrems v. Data Protection Commissioner. The Safe Harbor provided companies with a self-certification process through the US Department of Commerce that allowed the transfer of private data outside the European Union (EU) in a manner compliant with the EU Data Protection Directive. Approximately 4,500 US companies self-certified under the Safe Harbor.
The Basics: What is the EU Data Protection Directive?
The EU Data Protection Directive is the EU's comprehensive legal structure to protect the fundamental rights of its citizens, including the right to privacy. The Directive applies to EU countries (Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Estonia, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom) and European Economic Area (EEA) countries (Iceland, Liechtenstein, and Norway).
The Directive is enforced by national Data Protection Authorities (DPAs) of EU member states and the data protection authority of the European Commission. It imposes strict requirements on collectors and processors of personal data. Transfers of personal data outside the EEA can only occur if the receiving country has adequate protections in place.
The European Commission has only determined that Andorra, Argentina, Canada (commercial organizations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay have adequate protections allowing the personal data flow. Transfers to the US were, until last Tuesday, allowed under the Safe Harbor.
The Decision: Schrems v. Data Protection Commissioner
The genesis of the Schrems case was Edward Snowden’s 2013 revelations about the US's surveillance activities. Schrems alleged that his personal data transferred to the US pursuant to the Safe Harbor was not adequately protected. Ultimately, the ECJ held that the existence of a European Commission decision finding that a third country ensures an adequate level of protection cannot eliminate or reduce the powers available to the DPAs. The DPAs must still be able to examine whether the transfer of personal data to a third country complies with the Directive's requirements.
The ECJ then examined the Safe Harbor scheme and noted that US public authorities are not subject to the Safe Harbor and that US national security, public interest, and law enforcement requirements all prevail over the Safe Harbor. As a result, those companies who self-certified under the Safe Harbor are required to disregard the EU protective rules when there is a conflict. Accordingly, the ECJ found that legislation permitting the US public authorities to have access on a generalized basis to electronic communication content compromised the fundamental right to respect for private life. The ECJ also observed that legislation lacking a mechanism for an affected individual to pursue legal remedies failed to provide adequate protection. For those reasons, the ECJ invalidated the Safe Harbor.
What Happens Now: Potential Alternatives
It is impossible to determine the full impact of the ECJ's decision at this time. Although the ECJ's invalidation of the Safe Harbor is immediate, it is unclear what actions the national DPAs might take regarding data transfers that were once shielded by the Safe Harbor. Additionally, individuals in the EEA may take steps to prevent the transfer of their personal data to the US.
Companies that have relied on the Safe Harbor may need to assess viable alternatives. They may want to consider whether the transfer of data is otherwise permitted because it falls within an exception or "derogation." For example, the transfer may be permissible if: (1) the data subject consented to the transfer; (2) the data processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into the contract; (3) processing is necessary for compliance with a legal obligation to which the controller is subject; (4) processing is necessary in order to protect the data subject; or (5) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or a third party.
Companies may also consider relying on model clauses or Binding Corporate Rules (BCRs) as possible alternatives. The European Commission has issued two sets of standard contractual model clauses for transfers outside the EU/EEA: one for transfers from data controllers to other data controllers and another for transfers from data controllers to data processors. BCRs are internal rules adopted by a multinational group of companies which define their privacy policies with regard to international transfers of personal data within the same corporate group to entities located in countries not deemed to have adequate levels of protection. However, BCRs are challenging and expensive to put in place and do not provide a basis for transfers made outside of the group.
Bottom line, a company should consider a number of factors in determining what to do in response to the Schrems decision, including an assessment of what data is collected and how it is used. If action is needed, then there are several alternative methods to consider. In addition, the European Commission has been working on a Safe Harbor "2.0" for some time. The US Department of Commerce commented that the Schrems decision underscores the need for Safe Harbor 2.0 to be released "as soon as possible."
