Data in Disarray: The Aftermath of the Safe Harbour Decision
As has been reported widely in the world media, the Court of Justice of the European Union (CJEU) this week declared the EU-US Safe Harbour regime to be invalid. The decision has understandably given rise to a lot of concern among European businesses that transfer data to the US.
In this update, we seek to answer the main questions that are being asked following the CJEU ruling.
What exactly did the CJEU decide?
The judgment runs to 28 pages and it contains some far-reaching pronouncements on the citizen's right to privacy and the limits to state interference with that right. These aspects of the CJEU's judgment will have reverberations for years to come. However, the CJEU has made just two findings that have immediate legal consequences, namely:
- The Commission Decision (Decision 2000/520) that incorporates the Safe Harbour regime into European law is invalid in its entirety.
- European data protection authorities (DPAs) are empowered to examine citizen complaints that their data protection rights are not adequately protected in a third country even if the European Commission has made a decision that the third country does provide adequate protection.
How will EU to US data transfers be impacted?
4,400 US companies have been certified under the Safe Harbour programme operated by the US Department of Commerce. Among those certified are some of the world's largest corporations and information service providers.
Before the CJEU's decision, this certification meant that a company in Europe could rely on the US company's Safe Harbour certification as providing a sufficient legal basis for transferring personal data to the US company. That legal justification has been removed with immediate effect.
It is the legal responsibility of European companies that are transferring data to the US to find some alternative basis for legitimising transfers of data to Safe Harbour certified US companies. It is to be expected that affected US companies will be eager to work with their business partners in Europe to ensure that the alternative legal structures are implemented swiftly.
The loss of the Safe Harbour regime will cause inconvenience for those who currently rely on it, and it will inevitably give rise to a period of legal uncertainty, but most companies should be able to put in place an alternative legal structure for legitimising EU to US data transfers.
Will EU to US data transfers have to cease?
It's very early to say, but probably not. Many European companies already legally transfer personal data to the US without relying on the Safe Harbour regime. After all, only 4,400 US companies are currently Safe Harbour certified. The net effect of the CJEU decision is to require European companies to look to alternative legal structures (see below) instead of relying on a Safe Harbour certification.
In reality the CJEU ruling places Safe Harbour certified US companies in the same position as companies in most other countries of the world. At present, the European Commission has fully approved just 10 countries in the world - Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey, Andorra, Israel, New Zealand and Uruguay – as providing adequate legal protection for EU citizen's data protection rights. When transferring personal data to any other country (e.g. important trading partners like Australia, India and China), under the current law, European companies have to identify a proper legal basis for making the transfer and they do not have the Safe Harbour option available.
What are the alternative legal structures?
The Irish DPA lists nine distinct legal grounds for transferring personal data outside of the EEA. However, in practice, only three of these are likely to provide viable alternatives to Safe Harbour:
- Model Contracts. "Model contracts" are a form of contract approved by the European Commission that oblige a non-EEA party receiving personal data to adhere to a set of limitations on processing personal data that are designed to reflect the requirements of European data protection law. There are two types of model contract – "controller to controller" and "controller to processor". Model contracts are already widely used by European companies that transfer data outside the EEA. They can be used for intra-group data transfers or for the purpose of customer-supplier transfers. While limited drafting is required to put in place these contracts, they can pose administrative challenges when data transfers are made among multiple parties.
- Binding Corporate Rules (BCRs): BCRs are a set of binding rules on data protection compliance that require approval from DPAs across the European Union. They can take many months to gain approval, and are only applicable to intra-group transfers. They are therefore not likely to provide a solution to most European companies engaged in transfers of data to the US.
- Data Subject Consent. Unambiguous informed consent of a data subject to the transfer of his/her personal data outside the EEA is a valid legal basis for exporting data. The Irish DPA generally cautions against relying on data subject consent for justifying transfers of data outside the EEA because of the high threshold there is for establishing the validity of the consent. This ground is unlikely to provide a solution for most data transfers.
In truth, the adoption of model contracts is likely to be the only viable legal mechanism available for remedying the majority of impacted EU to US data transfers.
Are "model contracts" at risk in light of the CJEU decision?
Model contracts remain valid and thus they can continue to be used for so long as the Commission Decision approving them remains in force. However, the CJEU decision has made it clear that national DPAs are obliged to review the adequacy of protection afforded by third countries, even where there is a Commission Decision as to adequacy in place. Furthermore, the CJEU has indicated that the adequacy of a third country's level of protection must be assessed by reference to how European citizens' Charter rights are protected by that country's laws. If the level of protection is not equivalent to European standards, then it will be found to fall short.
These forthright positions of the CJEU mean that model contracts are themselves vulnerable to a future legal challenge. However, because the CJEU alone has the power to invalidate a Commission Decision, it will take a number of years before any such case reaches the CJEU.
My data service provider is a US company, what should I do?
We have drawn up the following checklist of questions to help companies assess the impact of the CJEU decision on their service provision arrangements:
- Is my contract with the US entity or a European subsidiary?
- Does my US service provider in fact process any of my company's personal data (e.g. employee records, or customer information)? The storage of personal data is a form of data processing covered by data protection law.
- Does my existing contract deal with data transfers to the US? – there may already be model contracts in place.
- Is my service provider Safe Harbour certified?
- If my service provider is affected by the CJEU decision, has it announced any plans to put in place alternative arrangements for its customers?
- Consider guidance that is likely to be issued by European DPAs over the coming weeks.
What does the future hold for EU to US transfers?
Prior to the CJEU decision, the EU and US were close to concluding an agreement on a replacement to the now invalid Safe Harbour regime. It is not clear yet how the CJEU ruling will affect those negotiations, or whether it will require the US authorities to introduce additional legislative reforms to meet the criteria of adequacy established by the CJEU.
What happens next in the Schrems case?
The case will now return to the Irish High Court, which will make a final ruling on Mr Schrems' challenge to the Data Protection Commissioner's decision to not investigate his complaint against Facebook Ireland transferring his personal data to the US. Assuming that the Court upholds his challenge, the Data Protection Commissioner will then have to commence an investigation into the adequacy of protection afforded under US law to the personal data of Facebook's European users, taking account of the criteria set out in the CJEU's judgement.
For further information, please contact John Whelan at firstname.lastname@example.org, John Cahir at email@example.com, Mark Rasdale at firstname.lastname@example.org or Claire Morrissey at email@example.com.
Dated published: 08 October 2015