Safe harbor in a storm: ECJ rules on data transfers to the US | Practical Law

Safe harbor in a storm: ECJ rules on data transfers to the US | Practical Law

The European Court of Justice has found that the European Commission’s decision on the EU-US safe harbor framework is invalid. While the UK Information Commissioner’s office has urged businesses not to panic, the ECJ’s ruling means that EU businesses should review data flows to the US and seek to rely on other approved grounds for data transfers under the Data Protection Directive (95/46/EC).

Safe harbor in a storm: ECJ rules on data transfers to the US

Practical Law UK Articles 3-619-7150 (Approx. 5 pages)

Safe harbor in a storm: ECJ rules on data transfers to the US

by Nick Graham and Tanvi Mehta, Dentons
Published on 29 Oct 2015European Union, United Kingdom, USA (National/Federal)
The European Court of Justice has found that the European Commission’s decision on the EU-US safe harbor framework is invalid. While the UK Information Commissioner’s office has urged businesses not to panic, the ECJ’s ruling means that EU businesses should review data flows to the US and seek to rely on other approved grounds for data transfers under the Data Protection Directive (95/46/EC).
The European Court of Justice (ECJ) has agreed with the Advocate General and found that the European Commission's (the Commission) decision on the EU-US safe harbor framework (2000/520/EC) (the safe harbor decision) is invalid and that the safe harbor decision does not prevent national data protection authorities (DPAs) from investigating claims in connection with it (Maximillian Schrems v Data Protection Commissioner C-362/14) (see box "What is the safe harbor?").
While the UK Information Commissioner's Office (ICO) has urged businesses not to panic, the ECJ's ruling means that EU businesses should review data flows to the US and seek to rely on other approved grounds for data transfers under the Data Protection Directive (95/46/EC) (the Directive).
Importantly, the Article 29 Working Party (the working party), which is an independent advisory body to the Commission on data protection and is partly constituted of DPAs from each EU member state, has stressed that transfers to the US under the safe harbor are now unlawful and that businesses should instead rely on model contracts and binding corporate rules, which the working party has clearly stated can still be used (the working party guidance) (http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf) (see "Using model contracts" below and News brief "Binding corporate rules: the answer to global data protection").

The dispute

Max Schrems, an Austrian privacy campaigner, made a complaint to the Irish DPA based on the revelations made by Edward Snowden in 2013 in relation to information obtained by Facebook Ireland and transferred to, and stored by, Facebook Inc. The Irish DPA dismissed the complaint because the relevant transfer was covered by the safe harbor. The matter was referred to the Irish High Court which referred it to the ECJ for a ruling. Essentially, the ECJ was asked whether a DPA was absolutely bound by the safe harbor decision, notwithstanding citizens' rights under the EU Charter of Fundamental Rights 2000 (the Charter) and the Directive.

Right to investigate

The ECJ decided that a DPA was not absolutely bound by the safe harbor decision and that its existence should not trump a DPA's right to investigate independently a claim made by a person in its jurisdiction. Much was made of the need to interpret the law in the light of the fundamental rights guaranteed by the Charter. This refers, in particular, to Article 7 (respect for private life) and Article 8 (protection of personal data). The ECJ relied heavily on the Charter and Snowden's allegations about mass surveillance in justifying its reassessment of the safe harbor framework.

Concerns over the safe harbor

The ECJ raised a number of concerns with the safe harbor regime:
  • Even though Article 2 of the safe harbor decision assumes that the US ensures an adequate level of protection under the Directive, it does not actually explain how the US achieves this level of protection.
  • Annex 1 of the safe harbor decision, in summary, says that the safe harbor principles may be limited to the extent necessary to meet national security, public interest or law enforcement requirements or by statute, government regulation or case law. The ECJ concluded that this means that US law trumps the safe harbor regime in the event of conflict. The authors do not think that this is necessarily so clear cut, but nevertheless that was the court's decision.
  • The safe harbor decision does not contain a finding regarding US law striking the right balance with privacy rights, and the ECJ was not persuaded that there was any independent body in the US with power to regulate outside of the safe harbor regime. In this context, the ECJ took the view that legislation permitting public authorities to have access on a generalised basis to the content of electronic communications is a breach of Article 7 of the Charter.
  • The absence of the ability to pursue legal remedies was considered to be a breach of the Charter.
The ECJ therefore decided that the safe harbor decision fails to comply with the requirements laid down in the Directive.

Practical implications

There are currently 4,465 companies signed up to the self-certification safe harbor regime. Since Schrems, both the ICO and the Commission have emphasised the importance of international data flows. However, the working party released a statement on 16 October 2015 stating that transfers that are still taking place under the safe harbor regime are unlawful. This is not a surprise; it is now clear that the safe harbor framework no longer applies and companies therefore need to find alternative legal grounds for data exports from the EU to the US, unless a new solution can be reached.
The Commission has said that it is well advanced in agreeing a new safe harbor package (safe harbor 2.0) but has not given any timeframe for finalising this. Again, the working party has been more forceful on this front, stating that if no solution, such as an intergovernmental agreement or a safe harbor 2.0, can be reached with the US by of the end of January 2016, EU DPAs will take all necessary and appropriate actions, which may include co-ordinated enforcement actions. This sounds like a grace period until the end of January 2016 for those organisations that previously used the safe harbor, while retaining local DPAs' rights to investigate and exercise powers based on particular concerns or complaints. Clearly, this will depend on local regulatory policy and culture.
We advise businesses to do the following:
  • Review current data flows to the US where the safe harbor is currently relied on, including intragroup data flows and contracts with vendors. Some large vendors are already offering model contracts for their corporate customers.
  • Prioritise those data flows that involve the largest transfers or the most sensitive data.
  • Consider implementing model contracts to replace reliance on the safe harbor for large or sensitive data flows. The ICO has said that companies will need time to consider this but now that the working party guidance is available, it is time for businesses to assess this option.
  • Consider the likely structure of model contracts. They are generally required to be bilateral as multi-party and multi-country agreements can be problematic. This could be particularly difficult for multinational companies that will need to authorise data flows across their various offices.
  • Consider other available exemptions and mitigation strategies. For example, consider whether it would be possible to obtain customers' unambiguous consent to the disclosure of their personal data to the US. This approach may be difficult when HR data is the subject of disclosure, as it is hard to prove that an employee has given valid consent. Mitigation strategies could also include anonymising or pseudonymising the data that forms part of the data export.
  • Keep a paper trail to document the steps that have been taken and track progress against it.

Using model contracts

For current purposes, at least until a safe harbor 2.0 is agreed, model contracts are likely to be the best alternative (www.practicallaw.com/9-501-7717). The working party has given a clear statement that model contracts and binding corporate rules may still be used until the working party completes its analysis on the impact of Schrems on other transfer tools, which is expected to take place in January 2016.
Nick Graham is a partner, and Tanvi Mehta is an associate, at Dentons.

What is the safe harbor?

The Data Protection Directive (95/46/EC) (the Directive) restricts the transfer of personal data outside the EEA unless that country ensures an adequate level of protection. The safe harbor framework is a voluntary set of privacy principles developed between the US Department of Commerce and the European Commission to overcome the Directive's restrictions on data transfers. It enables certified organisations to transfer personal data from the EU to the US in compliance with EU data protection laws.