European Court of Justice Invalidates Safe Harbor Adequacy Finding: Organizations Should Re-evaluate Their Basis for EU-US Data Transfers

On October 6th, the European Court of Justice (ECJ) issued its opinion in Schrems v. Data Protection Commissioner (C-362/14), a case which, among other things, challenged the validity of the European Commission’s 2000 finding that EU/US Safe Harbor framework (Safe Harbor) provided an adequate level of protection for personal data and therefore could be used as a lawful basis to transfer personal information from the European Union to the United States.

The 1995 EU data protection directive (the “Directive”) restricts the transfer of personal information from the EU to countries outside the EU that lack what the EU considers to be “adequate” privacy protection. US law has not been deemed adequate and Safe Harbor was created to facilitate transfers from the EU to the US. Safe Harbor has been used by over 4500 companies as a legal basis for transferring personal information from the EU to the United States since the program was implemented in 2000.

The ECJ Opinion.

The ECJ found that the 2000 European Commission Safe Harbor adequacy finding was deficient in a number of respects and is, therefore, invalid. In particular, the ECJ noted that the European Commission’s adequacy finding did not find that U.S. law provides a level of protection for personal data “essentially equivalent” of that guaranteed under EU law. The ECJ noted that U.S. government agencies are not subject to Safe Harbor’s requirements and hence not bound by the rules of the program. The Court also found a Safe Harbor provision deferring to U.S. national security and law enforcement needs – in the event of a conflict between those interests and the requirements of the Safe Harbor principles – to “enable interference” with the fundamental rights of EU citizens by U.S. officials, without limitation. The Court also faulted the program for not providing an opportunity for EU citizens to seek redress in the case of such governmental interference.

In another aspect of the opinion likely to have long term implications, the ECJ also stated that adequacy findings are subject to challenge through Data Protection Authorities (DPAs) and the courts in each of the EU’s 28 member states, but held that only the ECJ itself has the authority to invalidate an adequacy finding. This part of the ruling appears to empower consumers and advocates in the EU to bring complaints and require that the DPAs address them, unlike the situation that prompted the Schrems case where the Irish DPA refused to address Mr. Schrems’ complaint against Facebook because of the European Commission’s Safe Harbor adequacy finding.

What does the opinion mean?

In the short term, and perhaps the not so short term, there likely is to be a period of uncertainty around data transfers from the EU to the United States, particularly those involving Safe Harbor participants. It appears unlikely that the European DPAs will seek to bring retroactive actions for data previously transferred from the EU to the US through Safe Harbor in good faith in compliance with the program’s requirements. However, moving forward, companies that use Safe Harbor themselves or rely on service providers that use Safe Harbor in the course of providing services should review their options and strategies for transferring personal data from the EU to the United States to mitigate potential risks of complaints or enforcement inquiries in the EU. While the ECJ opinion struck down the Safe Harbor adequacy finding—and potentially lays the groundwork for challenging other adequacy findings—other means of transferring personal information, such as European Commission approved standard (aka “model”) contract clauses currently remain a valid option for facilitating data transfers.

With the invalidation of the Safe Harbor adequacy finding, DPAs in each of the EU Member states may take different positions with respect to transfers by companies that had been relying on Safe Harbor. The UK Information Commission’s office, for example, issued a statement that said in part, “The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognize that it will take them some time for them to do this.” DPAs in other EU Member states may take different approaches, potentially driven by consumer complaints about transfer practices, which the ECJ said could be appealed to national courts in the event that the DPA rules against the complaint. A number of data protection authority officials issued statements stressing the need for the DPAs to consult on their approach to the issue. Meetings among the DPAs are expected to begin within days.

What about a new or reformed Safe Harbor program?

The EU and the US have been in ongoing discussion about reforming Safe Harbor and recent reports indicate that those talks had been nearing completion. However, any reform of Safe Harbor will now need to be reviewed to take the ECJ’s opinion into account, which could take some time. The ECJ had a number of objections about the original Safe Harbor program which could raise the bar for the new agreement, because it too could be challenged and subject to a future ECJ case. Statements from the Department of Commerce as well as European Commission officials following the ECJ ruling both referenced the ongoing negotiations over a reformed Safe Harbor program and the importance of the continued flow of personal information across the Atlantic. No timetable has been offered as to when such an agreement might be finalized or implemented.

What other options are available to transfer personal data from the EU to the US?

Even with the invalidation of Safe Harbor there are still strategies for lawfully transferring personal data from the EU to the United States. Which of these strategies—or some combination of them—would work for a particular company will depend on the company’s situation. Options include:

  • Standard contractual clauses. Companies that send or receive personal information from the EU to the US on a business-to-business basis may be able to use standard or contractual clauses that have been approved by the European Commission under a separate adequacy determination which was not before the ECJ in the Schrems case. These clauses, which have been approved for data transfers from the EU to third countries around the world, not just for transfers to the United States, must be adopted by the parties without modification (except for a few particular clauses where customization is permitted).
  • Binding Corporate Rules. Binding corporate rules (BCRs) are binding privacy commitments that a multi-national family of companies makes to EU data protection authorities to govern transfers of personal information within that family of companies. While European DPAs have made efforts to streamline the BCR process, it still can take a significant amount of time and resources to obtain approval for BCRs and the BCRs only cover the transfer of personal information between members of the corporate family, not arrangements with service providers. Nevertheless, for multinational corporations that have relied on Safe Harbor in the past, BCRs may be a useful means for transferring human resources and consumer data from the EU to other members of the corporate family either in the US or in other countries around the world.
  • Consent and other “derogations.” The EU Directive’s restriction on the transfer of personal data to third countries that lack an “adequate” level of data protection includes a number of limited exceptions or “derogations”, which, depending on the circumstances, also could serve as a basis for transferring personal information:

    • The data subject has given consent unambiguously to the proposed transfer.
    • The transfer is necessary for the performance of a contract between the data subject and the controller (essentially the party that controls what happens to the personal data) or the implementation of precontractual measures taken in response to the data subject’s request.
    • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party.
    • The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims.
    • The transfer is necessary in order to protect the vital interests of the data subject.
    • The transfer is made from a public register to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.

While some of these derogations may seem broad at first, their potential applicability should be carefully reviewed because EU authorities tend to interpret the derogations narrowly. In the case of consent, for example, the European view is that consent must be freely given, which can present challenges in some areas, such as employment, where EU data protection officials may question whether consent has been freely given because of imbalances in the relationship between employer and employee. Similarly, when “necessary” is used in a derogation, this is often narrowly construed; EU data protection officials do not interpret “necessary” as being merely convenient to the company that would be transferring the personal data.

The ECJ opinion is significant in a number of respects and likely will have long term implications. In the near term, organizations that rely on Safe Harbor directly or indirectly to facilitate transfers of personal information from the EU to the US should consider alternate measures to mitigate their potential risk.