Unsafe Harbor – the EU’s ruling on US data transfers explained

Daniel Whitehead considers the implications of the EU Court of Justice’s landmark declaration that the Safe Harbor agreement, which allows companies such as Facebook and Google to transfer personal data on EU citizens to the US, is invalid.

On 6 October 2015 the European Court of Justice dramatically ruled that the long-standing Safe Harbor arrangement for the transfers of personal data between EU countries and the US is invalid. The ruling has the potential to create significant legal uncertainty over the coming months for companies that are involved in these transfers.

What is Safe Harbor?

Under EU data protection law, data about individuals which is processed in the EU can only be transferred outside of the European Economic Area when the exporter of the data can establish that it will be adequately protected in the host country.

Due to the vast quantities of data that is transferred to US companies, it was agreed in 2000 that the EU and US would implement a standardised process to attain adequacy. This scheme was titled Safe Harbor and allowed a US company to undertake self-certification under its rules. The company that was exporting the data was then able to consider a Safe Harbor certificate as sufficient for guaranteeing adequacy without any further assessment being conducted.

Companies such as Facebook and Google amongst many others have since sought to rely heavily on Safe Harbor as a legal basis for transferring huge quantities of personal data to their US parent companies.

Why is this now an issue?

Since the revelations made by Edward Snowden in 2013 about the US government’s surveillance practices, the EU and many of its citizens have become increasingly wary about how personal data that is held in the US may be accessed and used.

These concerns recently came to a head after Austrian student, Max Schrems, filed a complaint with the Irish Data Protection Commissioner (Irish DPC) claiming that Facebook’s reliance on Safe Harbor to transfer data from Facebook Ireland to its US parent company did not amount to adequate protection of his personal data. Mr Schrems alleged that the activities of the US intelligence services demonstrate that companies based within their jurisdiction cannot adequately protect his or any other EU citizen’s data against state surveillance.

Although the Irish DPC originally dismissed the complaint, Mr Schrems decided to challenge the commissioner’s decision through the Irish courts, which subsequently referred various questions to the European Court of Justice (CJEU), including whether Safe Harbor is a valid mechanism for ensuring adequacy.

The decision of 6 October effectively declared that Safe Harbor is now considered legally invalid and therefore inadequate for the protection of personal data that is transferred to the US.
In addition to the CJEU’s predictable concerns about the large-scale access to data by US intelligence agencies, the court also raised doubts as to whether US organisations adhered to the principles of Safe Harbor in practice and highlighted the difficulty in EU citizens being able to take enforcement action against those organisations found to be in breach of it.

How does the ruling affect your organisation?

The ruling means that companies that are located in the EU need to urgently review their existing arrangements with US-based suppliers (and those with US-based group companies to which they transfer data) and their own group companies. In cases where Safe Harbor is being relied upon, the parties will need to agree on alternative measures.

Although the alternatives are numerous, it is generally thought that the simplest and most comprehensive method of achieving adequacy is through the adoption of model clauses. Model clauses are a set of standard terms which have been previously approved by the EU Commissioner and are entered into as a binding agreement between the EU-based data exporter and the US importer.

From a compliance perspective the model clauses are arguably a significant improvement on merely relying on a company’s status as a Safe Harbor certified body. Therefore, their widescale adoption may ultimately reduce the risk profile of EU organisations. Under the previous Safe Harbor framework there was potentially no legal recourse against a US company that failed to adhere to its principles, unless stated otherwise in the commercial contract between the parties. By comparison, the model clauses create a binding set of obligations on the US company which allow for a relatively straightforward breach of contract claim to be available to the EU-based exporter in the event of a default.

However, the ruling brings into question the entire basis of whether adequacy can ever be truly achieved in the US. No method that currently exists within the EU’s armoury is likely to be sufficient to avoid the inevitable disclosure of personal data to the US intelligence agencies. It is therefore advisable for EU exporters to seek an indemnity from their US counterparts. This would compensate them for any losses incurred as a result of any action taken by a data protection regulator that alleges that the exported data was not adequately protected and any claims brought by affected individuals. Whilst the indemnity could also be extended to cover reputational loss, this type of loss can be difficult to quantify and thus enforce.

EU exporters should also consider seeking an immediate right to terminate in the event of a data breach, with such breaches including the disclosure of personal data to the US intelligence agencies. This at least would give them the option of immediately terminating their relationship (albeit subject to any transitional exit arrangements) and, if required, put out a press release to that effect to try to reassure any affected individuals or at least mitigate any further damage.  

Unfortunately, in reality, the true impact of reputational damage and the loss of customer trust are difficult and timely to repair and are unlikely to be adequately remedied by any form of financial compensation. There is also the practical issue that neither the US importer nor the EU exporter may be aware of personal data having been accessed by the US security agencies. In many cases it may not have been, but this will not prevent customers or other individuals such as employees having grave concerns about the possibility, particularly given the widespread reporting of the CJEU’s decision.

For US companies the requirement to adopt model clauses and the potential for additional indemnities may have a significant impact. Compliance teams should be taking immediate steps to check existing compliance with EU data protection laws and acting to correct deficiencies. Any risk assessment associated with, for example, agreeing to give the type of indemnity suggested above will need to balance the need to reassure EU customers, with the fact that in the event of a claim, there is unlikely to be any recourse against the US security agencies or the US government.

Author - Daniel Whitehead

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.