CJEU has declared Safe Harbor invalid

What has happened?

On 6 October 2015, the CJEU declared the Commission’s 2000 decision on Safe Harbor to be invalid, with immediate effect. The CJEU also held that the existence of any Commission decision that a third country ensures an adequate level of protection (which applies, for example, to Argentina, Canada, Israel, New Zealand, Switzerland and Uruguay) cannot reduce the powers of national data protection authorities, opening up the possibility of future challenges to those adequacy findings as well.

This CJEU judgment has wide ramifications, both in respect of the U.S. Safe Harbor scheme but also beyond.

What is Safe Harbor?

Under the Data Protection Directive, transfers of personal data outside the EEA may, in principle, take place only if the receiving country ensures an adequate level of protection of the data. The Commission may find that a particular country ensures adequate protection, or other mechanisms can be used to legitimise the transfer, such as using the standard contractual clauses adopted by the Commission (the Model Clauses), or Binding Corporate Rules (for intra-group transfers). The Commission made a finding of adequacy with respect to transfers to U.S. companies who have signed up to the Safe Harbor scheme.

What is the case about?

Max Schrems lodged a complaint about the transfer of his personal data from Facebook in Ireland to Facebook’s U.S. servers. He argued that, following the Snowden revelations in 2013 concerning mass surveillance of data by U.S. intelligence services, data should not be transferred to the U.S. on the grounds that U.S. law does not offer sufficient protection. His complaint was initially rejected by the Irish national data protection authority. However, following appeal to the Irish High Court, which in turn referred certain questions to the CJEU, the CJEU has ruled on two issues: (a) the validity of the Safe Harbor regime in relation to data transfer to the U.S, and (b) whether national data protection authorities can investigate and, if necessary, suspend data transfers, notwithstanding the existence of the Commission’s decision that the receiving country is adequate.

What did the CJEU decide?

The CJEU, in general agreement with Advocate General Bot’s opinion, has declared that the EC decision that Safe Harbor provides adequate protection is invalid. It emphasised that only the CJEU could make such a determination of invalidity.

Additionally, the CJEU confirmed that the Data Protection Directive does not prevent oversight by national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission adequacy decision.

The Irish DPA must examine Mr Schrems’ complaint to decide whether transfer of the data of Facebook’s European subscribers to the U.S. should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

What does this mean for businesses?

This decision will result in significant inconvenience to businesses in the short term, both for EU and U.S. entities.

European entities that transfer personal data from the EU to the U.S. on the basis of Safe Harbor will quickly have to find an alternative way to legitimise the transfer. The ICO in the UK recognises that it will take businesses “some time” to review how they ensure that data is transferred to the U.S. in line with the law, and the Commission in their press conference offered their support. In a Statement on 16 October, the Article 29 Working Party (an independent advisory body composed of representatives from the national data protection authorities) made it clear that businesses need to put in place legal and technical solutions in a “timely manner”.

The same is true of any U.S. entity that relied on Safe Harbor in order to import data from EU countries. As a result of customer pressure, they are likely to have to choose between putting in place European servers (which could be costly and impractical) or agreeing to put in place an alternative way to legitimise the transfer.

The impact of this judgement will, of course, largely depend on whether organisations are relying solely on Safe Harbor for transfers, or are backing it up with other measures. Many large EU multi-national organisations already require Safe Harbor certified service providers to enter into Model Clauses and the immediate impact for those companies is likely to be limited.

Any entity transferring personal data from the EU to other jurisdictions held to be adequate by the Commission, may also consider finding supplementary ways in which to legitimise transfers to those countries. This is because the CJEU decision opens up the possibility of future challenges to the validity of those adequacy findings.

For those organisations which have not yet done so, it would be advisable to carry out an audit promptly to identify cases where an alternative solution needs to be put in place.

Are Model Clauses safe?

The obvious alternative mechanism for legitimising cross-border data transfers to the U.S. is the use of Model Clauses. Commissioner Vera Jourova was clear in the press conference that Model Clauses (and BCRs) remain a valid alternative. The Article 29 Working Party stated that, for now at least, Model Clauses (and BCRs) can still be used, although they are currently being analysed. However, putting in place Model Clauses is not always a quick solution. In some Member States, it is still necessary to file Model Clauses with the data protection authority or to have transfers undertaken pursuant to Model Clauses pre-authorised by the data protection authority.

What is the impact on national authorities?

National data protection regulators can expect to see a spike in enquiries from concerned parties as to how they will deal with the consequences of the CJEU’s judgment and the Article 29 Working Party Statement.

Is Safe Harbor dead?

The Commission will be incentivised to agree a new Safe Harbor regime very quickly to meet the concerns raised with the current system. The Article 29 Working Party has said that if an appropriate solution is not found by the end of January 2016, and depending on their assessment of other transfer tools (like Model Clauses), the EU data protection authorities are “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions”,

We understand that prior to the CJEU judgment discussions between the EU and the U.S. were thought to be well advanced. The CJEU decision will certainly strengthen the hand of the EU negotiators but if they don’t reach agreement fast, those affected will have already put in place alternative mechanisms for legitimising their transfers or will have changed their business models in an attempt to avoid the issue. There is also now a very real risk of enforcement for those companies who allow mass and indiscriminate access by U.S. authorities to a range of information about data subjects.