So Long, Safe Harbor (For Now, Anyway) | Practical Law

So Long, Safe Harbor (For Now, Anyway) | Practical Law

A Legal Update discussing the US-EU Safe Harbor framework for data transfers and the European Court of Justice's decision in Maximillian Schrems v Data Protection Commissioner, Case C-362/14, 6 October 2015, in which the court ruled that the Safe Harbor framework is invalid. It includes a discussion of practical considerations for assessing a business's EU data transfer practices in light of the decision.

So Long, Safe Harbor (For Now, Anyway)

Practical Law Legal Update 4-619-4009 (Approx. 6 pages)

So Long, Safe Harbor (For Now, Anyway)

by Practical Law Intellectual Property & Technology
Published on 13 Oct 2015USA (National/Federal)
A Legal Update discussing the US-EU Safe Harbor framework for data transfers and the European Court of Justice's decision in Maximillian Schrems v Data Protection Commissioner, Case C-362/14, 6 October 2015, in which the court ruled that the Safe Harbor framework is invalid. It includes a discussion of practical considerations for assessing a business's EU data transfer practices in light of the decision.
On October 6, 2015, the European Court of Justice (ECJ) issued its preliminary opinion in Maximillian Schrems v. Data Protection Commissioner, in which it ruled that the US-EU Safe Harbor Framework is invalid (Case C 362/14, 6 October 2015 (Curia)).
Under the EU Data Protection Directive (1995/46/EC) (EU Directive) and implementing signatory states' laws, a data controller may transfer the personal data of EU data subjects to countries out of the European Economic Area (EEA) only if the transferee country's laws provide adequate protection for the personal data. In short, adequate protection is measured by whether the country's laws provide protection similar to that provided for by the EU Directive. (See Article 25(1) of the EU Directive.)
In addition to the now invalidated Safe Harbor framework, there are several methods for validating a transfer of the data of an EU data subject:
  • Consent of the data subject and where the transfers are necessary. Obtaining appropriate consent to data transfers under the EU Directive is challenging for several reasons. Under the EU Directive, consent is almost never a valid form of adequate protection when dealing with employee data. In addition, the EU Directive contains several derogations under which transfers may be made where necessary to perform a contract with the data subject and other limited circumstances (see Article 26(1) of the EU Directive).
  • Binding corporate rules. Binding corporate rules are intra-company agreements that permit companies to transfer data amongst corporate family entities.
  • Model contract clauses. The European Commission has approved form model contract clauses that incorporate the EU Directive's adequate protection principles (see Standard Clauses, Standard contractual clauses for the transfer of personal data from the European Union to processors established in third countries (controller-to-processor transfers) and Standard contractual clauses for the transfer of personal data from the European Union to controllers established in third countries (controller-to-controller transfers).
For more information, see Practice Note, Overview of EU data protection regime.

Safe Harbor Framework

The Safe Harbor program is the result of negotiations between the US and EU data protection authorities and arose following the European Commission's conclusion that US law does not provide adequate protection to data subjects. The Safe Harbor framework was approved by the authority of Article 1 of Commission Decision 2000/520/EC (Decision 2000/520) and provides that adequate protection is provided by US undertakings that self certify their adherence to the seven Safe Harbor principles. The Department of Commerce administers the Safe Harbor program, and the Federal Trade Commission (FTC) enforces it.
For more information on the Safe Harbor framework, see Standard Document, Safe harbor policy.
Over 4,000 entities have self-certified through the Safe Harbor program. However, this program has not been without controversy. In 2013, following Edward Snowden's revelations regarding the US National Security Administration's (NSA) PRISM program, the framework faced heightened scrutiny regarding whether it really provides protections similar to those available under the EU Directive (see Legal Update, Will the US-EU Safe Harbor Run Aground?). In addition, it came to light that many entities that had self-certified were not actually adhering to the Safe Harbor principles.
These events led EU regulators to call into question the effectiveness of the Safe Harbor, and US and EU representatives entered protracted negotiations in an attempt to strengthen the Safe Harbor program. Ultimately, the European Commission recommended 13 reforms to the Safe Harbor program to the European Parliament and European Council, including, for example:
  • Following their certification or recertification under the Safe Harbor, a certain percentage of companies should be subject to regulatory investigation of the compliance of their privacy policies with Safe Harbor requirements.
  • Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbor and, in particular, when the company applies exceptions to the Safe Harbor Principles to meet national security, public interest or law enforcement requirements.
  • False claims of Safe Harbor adherence should continue to be investigated by the relevant US regulatory authorities.
  • A national security exception to the Safe Harbor requirements should be invoked only to an extent that is strictly necessary or proportionate to the protection of national security.
While the EU also considered a significant revision to the EU Directive, Safe Harbor negotiations also continued over a multi-year period, with the parties announcing in November 2013 that they had agreed on remedies that addressed all but one of the EU regulators' concerns, that being the EU's requirement that the US restrict its electronic data surveillance practices to surveillance that is necessary or proportionate to protect national security. (See Communication from the Commission to the European Parliament and the Council, COM (2013) 847 (Nov. 27, 2013)).
The FTC also began ramping up enforcement of the Safe Harbor, bring actions against multiple companies for failing to abide by their Safe Harbor obligations (see for example, FTC Settles with Twelve Companies Falsely Claiming to Comply with International Safe Harbor Privacy Framework).

The Schrems Case

Decision

Against this background, Austrian law student, Maximillian Schrems, a Facebook subscriber, brought a complaint with the Irish Data Protection Commissioner (DPC) calling into question Facebook's data transfer practices and whether US law provides adequate protection for personal data in light of US mass surveillance programs such as PRISM. The DPC deferred on the substance of Schrems's complaint because Decision 2000/520 found that the Safe Harbor, under which Facebook was exacting the transfers, provided adequate protection. Schrems then took his case to the courts, culminating in a request by the Irish High Court that the ECJ clarify whether a national supervisory authority (such as the DPC) is bound by Decision 2000/520 when determining a complaint that a transferee country's laws do not provide adequate protection. It also asked whether, alternatively, the DPC should conduct its own investigation of the matter.
On September 23, 2015 Advocate General Bot of the ECJ issued an opinion:
  • Finding that:
    • the adequacy findings do not prevent a DPA from investigating a data transfer made under those findings; and
    • if the DPA (or a national court) believes that the adequacy finding itself is incompatible with EU primary law, then there must be a procedure to bring the issue before the ECJ via the preliminary reference procedure.
  • Proposing the ECJ should find the Safe Harbor framework to be invalid.
(See Legal Update, Advocate General opinion on EU-US Facebook data transfer suggests Safe Harbor decision invalid.)
The case then went to the ECJ for consideration. Though the ECJ was not bound by the AG's opinion, on October 6, 2015, the ECJ issued an opinion largely agreeing with the AG and invalidating the Safe Harbor framework, in sum, on the basis that data transferred to the US would be subject to US surveillance that the ECJ did not deem to be necessary to protect national security.

Effect of the Decision

It is difficult to predict the long-term implications of the Schrems opinion, particularly in light of:
  • The continuing negotiations over revising the Safe Harbor framework.
  • The court's reasoning for invalidating the Safe Harbor framework arguably applies equally to any transfer of personal data to the US, whether exacted by way of the Safe Harbor, model clauses or binding corporate rules. That is, under US law, data in the US is subject to mass surveillance requests that the ECJ deems unnecessary.
It seems clear, however, that the Safe Harbor framework as it previously existed is no more. But it also seems likely that a revised Safe Harbor program, or its equivalent, will be reincarnated out of the ongoing US-EU negotiations. Supporting this conclusion, the US Department of Commerce has issued an advisory stating that, for now, it will actually continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor framework.

Practical Considerations

While the invalidation of the Safe Harbor presents a challenge, businesses should not panic. In practice, many companies rely on multiple channels to validate their EU data transfers. In addition, several regulatory authorities, including the UK's Information Commissioner's Office (ICO) and the Article 29 Working Party, have released statements recognizing the challenges that the opinion presents for businesses and indicating they will begin immediately working on clarifying the opinion's effect.
While it is clear that businesses will face significant uncertainty for some time, the following are steps to take in responding to the changed landscape:
  • Assess whether the business relies on the Safe Harbor framework to validate data transfers. If so, take some time to consider whether it is in compliance with the Safe Harbor principles. It seems unlikely in the short-term that regulators will be looking to target companies that have, in good faith, relied on and complied with a previously approved method of validating data transfers.
  • Assess what contracts the business has in place relating to processing EU citizens' data. If those contracts do not already incorporate or include the model clauses, consider amending the current contractual arrangements to add the model clauses as addenda. Where no contracts are in place at all, move quickly to get contracts including the model clauses in place.
  • Consider whether any of the business's data transfers may be supported by data subject consent or because the transfer is necessary. While relying on these statutory derogations is often difficult, understanding whether they may support some data transfers is an important part of assessing the company's current data transfer posture.
  • Consider whether external-facing privacy statements should be revised to reflect any organizational changes made in response to the opinion. While the Department of Commerce continues to administer the Safe Harbor program and until there is some clarity regarding going-forward compliance, depending on the business's practices, it may not make sense to excise reference to the Safe Harbor from any external-facing privacy statements. However, any time a company changes its practices relating to personal data, it should consider whether its external-facing policies remain accurate in light of those changes.
While a company may wish to begin considering binding corporate rules, the process for drafting, reviewing and obtaining the necessary regulatory approvals is long and difficult. Particularly given the outstanding issues regarding the effect of the opinion on other data transfer validation methods, investing significant resources into drafting binding corporate rules may not be fruitful until there is greater clarity.
For more background on the Safe Harbor program and a detailed analysis of the Schrems opinion, see Legal Update, ECJ rules that the EU-US safe harbor arrangement is invalid.
Update: On October 16, 2015, the Article 29 Working Party issued a statement calling for further talks to find a solution enabling EU-US data transfers in light of the Schrems ruling, noting that "current negotiations around a new Safe Harbor could be part of the solution." The statement reiterated that transfers under the Safe Harbor mechanism are now unlawful and called into double the ongoing validity of the model clauses and binding corporate rules though noted that businesses could continue to rely on those mechanisms for now. The statement further provided that if no resolution is found by the end of January 2016, the data protection authorities may begin bringing enforcement actions. For more information, see Legal Update, Article 29 Working Party publishes statement in aftermath of Safe Harbor invalidity ruling.