Last week, the European Court of Justice ("ECJ") issued a decision eliminating the EU-U.S. Safe Harbor Framework ("Safe Harbor") as a mechanism for EU personal data1 transfers to the U.S. Safe Harbor has been the most streamlined, and most widely used, mechanism to shelter EU-U.S. data transfers. The ECJ's decision requires many U.S. and European businesses, which had relied upon the Safe Harbor, to instead implement other means to cover overseas data flows.
In its landmark decision, the ECJ: (1) invalidated the European Commission's 2000 decision that compliance with the Safe Harbor provisions constituted "adequate protection" for data transfers out of the EU; and (2) declared that the data protection regulator ("DPR") of each EU member state has the authority to hear complaints about the level of protection provided by U.S. companies for transferred EU personal data.
The ECJ found the Safe Harbor to be invalid for two key reasons. First, the Court stated that the unfettered access of U.S. law enforcement to personal information of EU citizens ran directly afoul of EU law. The EU generally constricts access to personal information, with a limited exception for law enforcement purposes that are "strictly necessary and proportionate" to protect national security. Second, the Court found that Safe Harbor did not permit legal remedies against U.S. companies by EU citizens seeking to access and correct their personal data, a key tenet of EU data protection law.
As a result of the ECJ's decision, U.S. companies may no longer rely on their Safe Harbor certification alone as authority to transfer personal data. While the U.S. Department of Commerce and the European Commission have been working for several years on a new Safe Harbor framework, prompt agreement on a new framework is anything but certain.2 Until such an agreement is reached and ratified by the European Commission (a process which could require extensive input from the European Parliament and EU Council given the ECJ's criticism of the prior Safe Harbor), companies which had relied solely on their compliance with the Safe Harbor provisions should implement available alternative methods to conform to EU data transfer protection laws. As a matter of best practices, companies should continue to require U.S. partners, subsidiaries and vendors receiving EU personal data to comply with the obligations under the invalidated Safe Harbor, since those data transfers may later be found to comply with the terms of a new Safe Harbor agreement. At a minimum, such actions may help poise companies to comply with any new requirements instituted under a new Safe Harbor agreement.
Is Your Company Impacted?
You are most likely subject to EU-U.S. data transfer regulations and impacted by the ECJ's Safe Harbor decision if you are:
- a U.S. company with EU offices, subsidiaries, affiliates, commercial partners or vendors, which send "personal data" regarding EU employees or customers3 to the U.S.;
- a U.S. company using technical infrastructure (including servers) or service providers in Europe that send EU personal data to your U.S. infrastructure;
- an EU company sending EU personal data to a U.S. office, subsidiary, affiliate, commercial partner or vendor; or
- an EU company using technical infrastructures (including servers) or service providers located in the U.S.
Alternative Solutions for Impacted Companies
Several DPRs have indicated that they intend to issue guidance on how companies may make compliant data transfers to the U.S. in the wake of the ECJ ruling, and will not take immediate enforcement action against affected companies. A few options other than Safe Harbor compliance are available under EU law to cover data transfers until a new Safe Harbor agreement is reached.
First, companies may include in data transfer agreements standardized data transfer clauses which have been approved by the European Commission4. Among other requirements, these model clauses direct contracting parties to describe the data to be transferred, state the purposes for transfer, and disclose the security measures in place to protect the data. If implemented verbatim, the standard contractual clauses automatically cover EU data transfers to the U.S. However, be aware that these standard contractual clauses provide European citizens whose data is transferred a private right of action against the agreement parties.
Second, a company may adopt binding internal corporate rules concerning data protection and privacy, backed by training and audit programs. If approved by relevant EU member countries' DPRs, adoption of these rules allow multinationals to transmit data anywhere within the group of entities covered by the rules, even to countries that do not offer "adequate" protection (such as the U.S.). This option is time-consuming and expensive because it typically takes approximately 18 months to obtain the approval of the DPR of each EU member country for which the company collects and transfers EU personal data. This option is best reserved for systematic transfers occurring over an extended period (e.g., payroll processing and other human resources transfers).5
Finally, companies may transfer EU personal data to the U.S. with the individual's consent -- which must be explicit, specific, freely given, discretionary and waivable. This option poses a number of obstacles which are readily apparent. For instance, it would be difficult to establish that an employee's consent to the transfer of human resources data was "freely given" since the employee is under the influence of the employer.6 For more information on the requirements for obtaining consent, see Article 29 Working Party Opinion 187.
The ECJ's invalidation of Safe Harbor poses new risks to companies transacting business in the EU or otherwise relying upon transfers of EU data to the U.S. However, until a new Safe Harbor framework is adopted addressing the concerns cited in the ECJ's ruling, employing one of these alternative mechanisms may prove to be the most efficient and effective method of complying with European data protection transfer mandates. Please contact our Data Security & Privacy team with any questions you have about EU/U.S. data transfer developments, including any DPR-issued guidance concerning legally compliant methods for overseas data transfers.
1 Under Safe Harbor, "personal data" is defined by European Commission Directive 95/46/EC. The Directive definition is much broader than typical U.S. classifications, covering data such as IP addresses, information included in cookies, and behavioral information.
2 Some expect a new Safe Harbor framework and agreement to be finalized in early 2016.
3 Under Directive 95/46/EC, the "personal data" must relate to a natural person who can be identified, directly or indirectly, and in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (a 'data subject').
4 However, on October 14, 2015, the DPR for the German state Schleswig-Holstein issued a press release and position paper stating that standard contractual clauses likely are not valid means to transfer data to the U.S., following the ECJ's logic for invalidating Safe Harbor. The Schleswig-Holstein DPR specifically recommends that companies using standard model contracts cancel them with their U.S. partners and do a complete review of data transfers, consulting with the Schleswig-Holstein DPR in each instance. It remains to be seen whether other DPRs will take such a harsh stance.
5 A new General Data Protection Regulation (GDPP), expected to be finalized in 2016 and take effect in 2018, will replace the Directive. The GDPP is expected to greatly streamline binding corporate rules, making the process much more practical for businesses.
6 "Where consent is required from a worker, and there is a real or potential relevant prejudice that arises from not consenting, the consent is not valid in terms of satisfying either Article 7 or Article 8 as it is not freely given… An area of difficulty is where the giving of consent is a condition of employment. The worker is in theory able to refuse consent but the consequence may be the loss of a job opportunity. In such circumstances consent is not freely given and is therefore not valid." Article 29 Working Party Opinion 48 on the processing of personal data in the employment context.