Home Home About Us Practice Areas Our Attorneys Press & Publications Events Diversity Pro-Bono Careers

Digital Media, Technology & Privacy Alert >> EU Court of Justice Strikes Down U.S.-EU Safe Harbor for Data Sharing

October 7, 2015

In a decision that could have widespread ramifications for all industries, the Court of Justice of the European Union has rejected the U.S.-EU Safe Harbor relied on by thousands of U.S. companies to be able to transfer personal data to the U.S. from the EU without violating EU privacy and data protection rules and directives, deeming it “invalid.”

The European Commission’s Data Protection Directive requires that countries to which the personal data of EU residents are transferred maintain adequate standards for data protection. The U.S.-EU Safe Harbor Frame was put in place over 15 years ago to enable the transfer of personal data from EU residents to companies in the United States in a manner that will be deemed adequate and in compliance with EU data protection standards. In June 2013, an Austrian citizen, Maximillian Schrems, challenged the transfer of personal data from Facebook Ireland Ltd. to Facebook USA. He contended, in essence, that the laws and practices of the United States offered insufficient protection for data kept in the United States against government surveillance. His argument followed revelations made by Edward Snowden concerning the activities of U.S. intelligence services, including the National Security Agency (the NSA). The EU’s Data Protection Commissioner refused to investigate, reasoning that the U.S.-EU Safe Harbor mechanism ensured an adequate level of protection of personal data transferred to the United States.

Schrems sought review of the commissioner’s decision by the High Court of Ireland. The Irish court then asked the Court of Justice to determine whether the Safe Harbor barred consideration of Schrems’ complaint.

Advocate General’s Opinion
In late September, the EU Advocate General issued an advisory opinion in which he observed that the Irish court had proceeded on the basis of two findings of fact. First, that personal data transferred by entities such as Facebook Ireland to its parent company in the United States was capable of being accessed by the NSA and by other U.S. agencies. Second, that EU citizens had no effective right to be heard on the question of the surveillance and interception of their data by the NSA and other U.S. security agencies.

The Advocate General decided that those findings demonstrated that, in his view, the Safe Harbor did “not contain sufficient guarantees” of adequate privacy protections for EU citizens and, accordingly, that it did not satisfy the EU’s privacy and data protection requirements.

Accordingly, the Advocate General concluded that the Safe Harbor had to be “declared invalid.”

EU Court of Justice Ruling
The EU Court of Justice officially released its decision on October 6, 2015.

In its October 6th opinion, the Court of Justice decided that U.S. national security and law enforcement requirements effectively prevailed over the Safe Harbor, giving the U.S. government the authority to interfere with the “fundamental rights of persons” to protect their personal data.

Accordingly, in a landmark ruling, the Court of Justice agreed with the Advocate General that the Safe Harbor was invalid. As a consequence, it said, the High Court of Ireland had to examine Schrems’ complaint to decide whether transfer of the data of Facebook’s European subscribers to the United States should be suspended on the grounds that the United States does not afford an adequate level of protection of personal data.

Thousands of U.S. companies who previously took advantage of the Safe Harbor agreement to send user data from Europe to the United States may be forced to reconsider the way in which they handle and transfer user data. While the ruling does not mean that U.S. companies are immediately prevented from transferring data to the United States, it does mean that the courts in each EU member state can now rule that Safe Harbor is unlawful in their jurisdiction. If that becomes the prevailing opinion, companies may need to explore alternative options with respect to their treatment of personal data. It is possible that inconsistent rulings create a fragmented environment.

One option to be considered is to implement the EU Commission model contract clauses which are pre-established terms governing data protection that two parties can execute to permit the transfer of personal data in a compliant manner. That being said, while the Safe Harbor ruling did not explicitly rule on the enforceability of model contracts, the logic behind the ruling could theoretically be extended to the adequacy of model contracts to ensure the protection of personal data in the United States, paving the way for those clauses to be challenged at a future date.

The Court of Justice’s decision may be unlikely to be enforced in practice in the short-term due to limited regulatory resources, and there is certainly an interest by regulators and companies on both sides of the Atlantic to resolve this issue and avoid more radical changes. U.S. and EU regulators had been engaged in discussions for over two years on revising the Safe Harbor program after the EU had issued a list of 13 steps it believed were necessary to fix the program’s alleged shortcomings. That said, the decision of the Court of Justice is now here and enforcement is a possibility.

The Bottom Line

Companies that transfer personal data from the EU to the U.S. must now consult with counsel to consider the effect of the Court of Justice’s decision on their business practices and whether they should rely on alternatives to the Safe Harbor, including model contract clauses, binding corporate rules and direct consent to permit them to continue transferring personal data to the United States.