Advertising Law Blog

The Snowden Effect: The Safe Harbor Is Not So Safe Any More

In a landmark decision issued on October 6, 2015, the Court of Justice of the European Union (CJEU) declared the U.S.-EU Safe Harbor for the transfer of personal data to be invalid.

Since 2000, thousands of companies in the United States relied on the Safe Harbor to transfer personal data from the EU to the U.S. in accordance with the EU Data Protection Directive.  The Decision is effective immediately and threatens to significantly impact cross-border businesses practices.   

History

The EU Data Protection Directive provides that personal information regarding citizens of the EU can only be transferred from the EU to countries that have sufficient data protection protocols in place.  While a number of countries satisfy this requirement, the United States does not.

For a company that wishes to transfer personal data to a country that does not have adequate protocols in place, the European Commission provided a few mechanisms for companies to conduct such transfers.  In the United States, one of these mechanisms was the Safe Harbor, which was negotiated by the European Commission and the U.S. Department of Commerce and took effect in 2000.  To take advantage of the Safe Harbor, a company had to self-certify to the Department of Commerce that it complies with certain EU privacy standards and otherwise complete a registration process.   

Schrems v. Data Protection Commissioner

That process has now been tossed aside.  In Schrems v. Data Protection Commissioner, the plaintiff alleged that an Irish subsidiary of Facebook transferred data to the U.S. under the Safe Harbor and that his rights of privacy had been violated because Facebook participated in the United States National Security Agency’s (“NSA”) PRISM program, which allowed the NSA access to his data. Schrems filed his complaint with Ireland’s Data Protection commissioner. The Irish commissioner rejected his complaint on the basis that the European Commission had already found that the Safe Harbor provided a sufficient level of data protection. Schrems appealed to the Irish High Court, which in turn referred the case to the CJEU.

The CJEU court held that although the European Commission  had decided that the US ensured an adequate level of protection when it approved Safe Harbor, the individual Data Protection Authorities (DPAs) from EU nations can still have independently examine a claim.  Thus, in Schrems, the Irish data protection authority could question whether the Safe Harbor adequately protected Irish citizens’ fundamental right of privacy.

The CJEU also declared the EU-U.S. Safe Harbor to be invalid. The court set a high standard for when transfer of data should be permitted and held that an “adequate level of [data] protection” for EU citizens means “a level of protection of fundamental right and freedoms that is essentially equivalent to that guaranteed within the European Union.” The CJEU held that the Safe Harbor failed to meet this standard because the Safe Harbor  does not stop the U.S. government from collecting the personal data of EU citizens, even in the absence of a risk to national security.  The court noted that leaks from Edward J. Snowden, the former NSA contractor demonstrated that American intelligence agencies had substantial access to the data, infringing on an EU citizens rights to privacy.  Since it found this practice to violate the fundamental privacy right of EU citizens, the court  declared the Safe Harbor to be invalid.  

Impact of the Schrems Decision

The Decision is effective immediately.  Given that the Court declared the Safe Harbor to be invalid, companies that had previously relied on the Safe Harbor to transfer data from the EU to the U.S. must now quickly find an alternative method to comply with the EU Data Protection Directive. Alternatives include Binding Corporate Rules and Model Contract Clauses which are basically the model provided by the EU that permit companies to transfer data out of the EU by going through a different approval processes involving the European Commission and data protection authorities in the member states.

In addition, many companies that transfer data from the EU to a processor in the United States previously relied on the fact that the processor was Safe Harbor certified.  These companies should review their agreements with such processors and ensure that the processors utilize an alternative means of satisfying the EU Data Protection Directive.

For approximately the last two years, the European Commission and the U.S. Department of Commerce have been negotiating a revision to the  Safe Harbor. Those negotiations may now be complicated and delayed in the face of the decision.   While the Department of Commerce is continuing, for now, to administer the Safe Harbor program, that may change as a result of the Schrems Decision.

TAKEAWAYS

• Companies involved in EU-US data transfers should closely monitor this developing situation. There is a high level of concern on the federal level, including the White House.
• Companies that had been relying on Safe Harbor self-certification to transfer data should find an alternative method to comply with the EU Data Protection Directive.  This may be challenging, but processes to consider include obtaining consent, Model Contract Clauses, and Binding Corporate Rules.
• Similarly, companies that had been relying on vendors that were Safe Harbor certified should ensure that their vendors adopt an alternative method of compliance.
• Companies relying on other methods of compliance such as Binding Corporate Rules and Model Contract Clauses should monitor developments in the EU.  In the wake of Schrems,  it is very possible that these methods will face scrutiny as well.