On October 6, 2015, the European Court of Justice
("ECJ") invalidated the European Union–United
States data protection safe harbor (the "Safe Harbor").
In its decision in Case C-362/14 Maximilian Schrems v Data
Protection Commissioner, the ECJ invalidated the Safe Harbor
because it failed to provide an adequate level of protection to
personal data transferred from the EU to the U.S., as required by
the EU Data Protection Directive 95/46/EC. A press release
summarizing the decision can be found here.
The Safe Harbor was implemented by agreement between the U.S.
government and the EU Commission in 2000, and since then more than
4,000 U.S. companies have signed up to the Safe Harbor in order to
receive electronic data from the European Union. As a result of
this decision by the ECJ, international data transfers cannot
continue to be made by customers and businesses in the EU to U.S.
companies on the basis of the Safe Harbor.
Following the Advocate General's view in his September 23, 2015
opinion, the ECJ furthermore made clear that
the data protection authorities in Member States must be able to
examine whether a data transfer to a third country is in compliance
with the requirements of the EU Data Protection Directive, even if
a Commission decision (like in case of Safe Harbor) has been
adopted. However, only the ECJ itself shall have jurisdiction to
declare the Commission decision in question invalid. In finding
that Member State data protection authorities have such powers, the
ECJ may have opened up a new era of intervention by Member State
data protection authorities with respect to other Commission
decisions, including the EU Standard Contractual Clauses. However,
uniform application of the law seems to remain ensured by the fact
that only the ECJ shall have the ultimate decision regarding the
validity of the challenged Commission decision.
The Schrems case arose from a challenge by Austrian law
student Maximilian Schrems to the determination by the Irish Data
Protection Commissioner that the existence of the Safe Harbor
precluded the Irish agency from stopping Facebook's data
transfers from Ireland to the U.S., even though Facebook was
allegedly providing information to the U.S. intelligence services
in violation of EU data protection laws. Following the opinion of
the Advocate General, the ECJ concluded that the Safe Harbor did
not offer the requisite protections and that the Safe Harbor
arrangements should therefore be ended.
As for the annulment of the EU Data Retention Directive in
2014,1 the ECJ decision in the Schrems case
highlights again how quickly changes can come on data protection
laws once the ECJ is ready to pronounce on them.
All companies using Safe Harbor as a basis for their data transfers
to the U.S. (including in their agreements with suppliers) must
review such transfers and ensure that another valid basis to
provide for an adequate level of data protection is found. While
the ECJ did not grant a grace period to companies transferring data
on the basis of the Safe Harbor to adapt to this drastic change,
data protection authorities in Member States might consider
adopting a grace period before they start enforcing measures
against companies that have not yet implemented alternative
transfer instruments. Whether this option exists will, however,
need to be verified with the local authorities in each Member
State. The most relevant alternative transfer solutions readily
available for companies in this situation are EU Standard
Contractual Clauses. Other options, like consent of the data
subjects, might also be considered, depending on the situation.
Adopting Binding Corporate Rules is rather complex and
time-consuming and thus not suitable as a "quick fix"
solution but should be kept in mind as a possible mid- and
long-term solution.
The ECJ decision will certainly have a strong influence on the
ongoing negotiations between the EU and U.S. to amend the Safe
Harbor's terms, now possibly conducted with a view to reinstate
the Safe Harbor. Reinstating the Safe Harbor, however, will
inevitably require Safe Harbor registrants to significantly bolster
the protections they provide to personal data arriving from the
EU.
In any event, further radical change is coming soon, with the final
version of the new EU General Data Protection Regulation expected
to emerge from the Trilogue process at the end of this year or
early next year. The last few days have been a clear and dramatic
reminder to international companies that they must keep data
protection and cybersecurity issues high on the boardroom
agenda.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.