Opinion of the Court of Justice of the European Union (the “CJEU”)
On 6 October 2015 the CJEU not only ruled that the long standing Safe Harbor framework is no longer a valid legal basis for transferring data from the EU to the US, but also specifically that:
- The original decision of the EU Commission as to the adequacy of Safe Harbor is invalid
- EU Data Protection Authorities (“DPAs”) retain authority to investigate data transfers and to verify compliance with the minimum standards of the directive regardless of any EU Commission ruling on the adequacy of an agreement.
The CJEU stated that “adequacy” needs to be considered in light of the domestic legal regime in a given country, and the key reasons for the CJEU’s decision that Safe Harbor did not adequately protect EU citizens’ data were that:
- In allowing unfettered access to, or storage of, data by law enforcement authorities, the US had failed to demonstrate that it ensures an adequate level of protection in relation to its domestic law or its international commitments
- There was, fatally, no legal redress mechanism for EU citizens under the Safe Harbor agreement.
What does this mean for data that has already been transferred to the US under the Safe Harbor regime?
Although any transfers of data between the EU and the US that are currently taking place and are protected and legitimised by Safe Harbor are no longer lawful, it is not the case that transfers previously made under Safe Harbor have no value. There is no requirement for companies to delete or return data previously transferred between the EU and the US under Safe Harbor.
To the extent that there is a Safe Harbor policy already in place, in the short term it would be prudent to continue to treat EU data in accordance with that policy. This then provides a basis whereby US companies can say that the data, putting aside the access to the data by law enforcement authorities, is being protected in accordance with standards that have not been questioned as being non-compliant with the principles of EU data protection.
Is there a risk of enforcement by DPAs?
The US authorities and the Federal Trade Commission recognise the current situation and will themselves need time to consider how best to respond.
Provided US companies continue to treat information in accordance with their Safe Harbor policies, those policies can remain in place. As long as companies continue to treat the information transferred under those policies in the way that they have represented under the policies already in place, there will not be any repercussions under US law.
In terms of enforcement by EU DPAs, it again seems unlikely that there is a risk of any immediate enforcement in this initial period whilst they take the time to consider their position. The Article 29 Working Party’s detailed opinion is awaited following a meeting in Brussels this week.
How should companies that were operating under Safe Harbor respond to ensure that their data transfers comply with the Directive?
Although the incorporation of the model clauses is a good short term solution, binding corporate rules are probably considered by European policymakers to be the mechanism providing the highest level of data protection on a global scale. Multinationals which have been operating on a global scale, using Safe Harbor as the basis for their intra-group privacy compliance programme, should look to migrate these existing compliance programmes into binding corporate rules.
Companies should also seek vendor guarantees whereby vendors provide a written statement detailing the steps they have taken to ensure that they are complying with the EU adequacy requirements.
What is the long term solution? Safe Harbor 2.0
A revised version of the original Safe Harbor regime, dubbed “Safe Harbor 2.0” has been the subject of negotiations for the past two years. It is understood that the negotiations on this are practically complete, however, there is not currently a date for its implementation.
It should be remembered however, that the original Safe Harbor regime was never highly regarded by EU authorities and, in particular, the EU Commission said it fell short of providing an “adequate” level of protection for EU citizens in the following areas:
Additionally, and importantly, the issue of the US law enforcement’s unfettered access to data still remains unresolved. Although the Obama Administration sought to take action to limit the National Security Agency’s actions in this area following the Snowden revelations, it remains to be seen whether these restrictions will satisfy the EU standards. In view of this, although it is highly anticipated that Safe Harbor 2.0 will calm the chaos created by the demise of its predecessor, it is not yet clear that it will prove an “adequate” mechanism for doing so.
The Judicial Redress Bill
The Judicial Redress Bill is currently going through the US legislature and sets out provisions whereby EU citizens would be accorded the same rights to redress as US citizens under the US Privacy Act, in respect of breaches under the Directive.
If this becomes law, it is hoped that this will be the crucial element that contributes to making Safe Harbor 2.0 a success, where its predecessor fell down. It is however unclear whether the bill will be passed, in light of the approaching US elections next year.
Life after Safe Harbor
The decision of the CJEU sends a clear message that it is imperative that the conflict between an authority’s ability to capture information and carry out surveillance activities in the interest of public safety on the one hand, and the public’s right to privacy on the other, must be resolved. Only then will a mechanism like “Safe Harbor” prove effective.This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.