Safe Harbor Framework Invalidated
Posted: October 16, 2015
On October 6, 2015, the Court of Justice of the European Union (ECJ) issued an opinion that rattled many businesses based both in the United States and the European Union. The ECJ invalidated the U.S.-EU Safe Harbor Framework that thousands of organizations relied on to lawfully transfer personal data.
Overview: EU Data Protection Directive & Safe Harbor Framework
At issue in the case at hand is the EU Data Protection Directive 95/46/EC (Directive) enacted in 1998. The Directive provides stringent protections for personal data of data subjects (including requirements relating to access, accuracy, data retention and security), and establishes legal conditions for the proper processing and transfer of personal data. In relation to data transfers, data may be transferred to a third party if particular conditions are met such as consent from the data subject. However, if data is transferred outside of the European Economic Area (EEA), it may only be transferred to a country that offers “adequate” protection or that meets one of several other requirements. Historically, the U.S. has never been considered to be “adequate” from a data privacy perspective.
Following the passage of the Directive, the U.S. Department of Commerce consulted with the European Commission regarding the Directive’s “adequacy” requirement with the understanding that the U.S. has traditionally approached data privacy quite differently than the EU. The Safe Harbor Framework resulted from those conversations and was approved by the EU in 2000 via the Commission’s Decision 2000/520/EC. To enter the Safe Harbor program, companies must have developed or joined a self-regulatory privacy program that adhered to seven privacy principles: notice, choice, onward transfer, access, security, data integrity and enforcement. Companies that entered into the program were also required to annually self-certify compliance to the U.S. Department of Commerce, while enforcement fell to the Federal Trade Commission (FTC), comparable U.S. government agencies and/or states.
The current case at hand stemmed from a complaint lodged with the Irish Data Protection Commissioner (DPC) by an Austrian citizen, Maximillian Schrems. Schrems alleged that Facebook Ireland should be prohibited from transferring any of his personal data to Facebook Inc. in the United States. In making his complaint, Schrems cited the revelations made by Edward Snowden in 2013 regarding the surveillance activities of the U.S. National Security Agency (NSA). In particular, Schrems claimed that the U.S. “cannot offer sufficient protection against surveillance by the public authorities.” (See ECJ Press Release No 117/15). Schrems’ complaint was initially rejected by the DPC on the basis of the Safe Harbor Framework and a lack of evidence that Schrems’ data was accessed by the NSA. Schrems appealed, and the case eventually made its way from the Irish High Court to the ECJ as it concerned the implementation of EU law.
The crux of the ECJ’s ruling focused heavily on the issue of surveillance activities and a lack of protections for EU citizens rather than on business needs and purposes associated with data transfers, particularly the Safe Harbor Framework. Indeed, a main point of issue was the fact that U.S. organizations self-certify compliance with the Safe Harbor Framework, but U.S. government authorities are not required to comply. Further, the ECJ highlighted that Decision 2000/520/EC states that any national security or law enforcement requirements will trump the Safe Harbor Framework principles and thus U.S. organizations may be required to disregard those principles at any point. Given this fact, the ECJ determined that authorities in the U.S. may access and process personal data that was transferred in a way incompatible with the reason behind the primary collection and transfer. The ECJ also found that data subjects had no means or ability to exercise rights to access, rectify or erase personal data in this type of scenario.
After this analysis, the ECJ opined that the Commission did not conclude in Decision 2000/520/EC that the U.S. provides an adequate level of protection via domestic law or international commitments. Accordingly, the ECJ held Decision 2000/520/EC did not meet the Directive’s requirements and that it was “invalid”.
Finally, the ECJ found that no data protection authorities (DPAs) of any member state are prohibited from examining claims filed by individuals regarding whether or not personal data was transferred from a member state to a third country that does not ensure an adequate level of protection.
The news following this ruling has been fast and furious over the last week and a half. Curiously, the FTC and U.S. Department of Commerce have been relatively quiet, other than comments from the FTC that they share a mutual commitment with the EU to provide protection for personal data. On the other hand, the relevant DPAs for member states have begun to issue commentary. For example, the Information Commissioner’s Office in the United Kingdom issued a statement explaining that it understands that businesses that previously relied on the Safe Harbor Framework will need “some time” to review how data transfers will occur moving forward. Conversely, the data protection authority (ULD) in Schleswig-Holstein (Germany) issued a press release and position paper this week calling into question whether alternatives to data transfer – standard contractual clauses or data subject consent – were valid. (Note: binding corporate rules are also a noted alternative data transfer mechanism).
On October 16th, the Article 29 Working Party issued a press release commenting on the ECJ’s ruling. In particular, the Article 29 WP urged member states to open discussions with U.S. authorities to find legally, politically and technologically appropriate solutions that would enable personal data transfers to the U.S, and cited the potential “Safe Harbor 2.0” framework that is currently under negotiation. While the Article 29 WP noted it is continuing its analysis, it did state that “data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used”; however, it highlighted that data protection authorities will not be prevented from investigating cases based on complaints or exercising their authority to protect individuals. In addition, the press release called out (in bold font) that: “In any case, transfers that are still taking place under the Safe Harbour decision after the [ECJ] judgment are unlawful.”
While not as popular in terms of press coverage, the U.S.-Swiss Safe Harbor Framework has also been called into jeopardy by the ECJ’s decision. The Swiss Federal Data Protection and Information Commissioner (FDIC) issued a press release commenting that the “agreement between the Switzerland and the USA is also called into question” by the ECJ’s decision. The FDIC encouraged Swiss companies to enter into additional agreements with any U.S. companies in order to better protect personal data.
Companies in the United States without alternative methods in place to lawfully transfer personal data are undoubtedly scrambling to implement an appropriate and legally viable method of transfer. Any impacted company should continue to monitor the news on this issue and should consult with qualified legal counsel to determine what the best next steps are for the organization.
 The ECJ analyzed the “adequate level of protection” requirement noting that it must be “must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed” by the Directive.