The Court of Justice of the European Union (“CJEU”) has today ruled that the EU-US “Safe Harbor” arrangements are invalid. EU companies which transfer personal data to the US will now need to take urgent steps to assess and protect their position in relation to such data.
Under EU data protection law, there is a general prohibition on transferring personal data to a country outside the European Economic Area (EEA) unless that country ensures an “adequate level of protection” for the personal data.
The European Commission has certified that a number of non-EEA countries do provide “adequate protection”. In relation to the US, in 2000 it developed Safe Harbor, an arrangement whereby US companies could themselves be certified as providing adequate protection. Provided a US company had a Safe Harbor certification, the transfer of personal data to it was permitted.
However, the Safe Harbor arrangements had been heavily criticised since Edward Snowden’s revelations about US security agencies accessing personal data on a mass scale. The European Commission has been engaged in a lengthy negotiation with US authorities about how Safe Harbor operates with a view to improving the protection it gives EU citizens. Whilst the EU Parliament has called for the suspension of Safe Harbor, the Commission’s position has been to keep the current regime in place pending the outcome of the negotiations.
The current case arose when an Austrian individual, Max Schrems, challenged Facebook’s transfer of his personal data from its Irish subsidiary to its servers in the US. He argued that the Irish data protection authority (“DPA”) should have prevented the transfer on the basis that the US no longer ensures an adequate level of protection in light of Mr Snowden’s revelations.
The CJEU has now determined that the current Safe Harbor arrangements are invalid, in broad terms, because they do not provide protection to personal data essentially equivalent to that guaranteed under the EU legal regime, in particular:
- The manner in which personal data is collected in bulk by US national security and law enforcement authorities goes far beyond what is strictly necessary. It therefore compromises the fundamental individual right to respect for private life;
- The fact that the United States’ national security and law enforcement requirements prevail over the Safe Harbor arrangements means that insufficient limitations are placed on how US authorities can collect that personal data; and
- Individuals do not have the necessary legal rights in the US to challenge the gathering of their data by security agencies, and therefore their privacy rights cannot be properly protected.
The CJEU said that the Irish DPA will now have to consider Mr Schrems complaint and decide if Facebook’s transfer of personal data of its subscribers to the US must be suspended.
Current cross-border transfers
It is not just US technology giants like Facebook which will be affected by this judgment. It will also have an impact on those who transfer personal data to, for example, cloud service providers and data storage centres based in America. In some cases it may even limit companies from sharing personal data internally with their group companies, which will cause a significant administrative headache.
Any business which previously relied on Safe Harbor for its data transfers will have to urgently review its data transfer arrangements and use an alternative means of ensuring “adequacy” (e.g. by using the Commission’s Standard Contractual Clauses). If entering into these contracts is not possible, businesses may have to suspend transatlantic data flows.
Any future for Safe Harbor
The EU and US authorities are likely to now step up their negotiations to try and agree a replacement for Safe Harbor. However, in light of the CJEU’s judgment, any replacement that does not address the EU’s concerns about bulk intelligence gathering and creating an essentially equivalent regime in America for data transferred from the EU will be unviable. Indeed this judgment may be seen as an attempt by the Court to put pressure on US authorities to give concessions on this issue.
Report: How should you respond to developments in financial regulation this year?
Our team of financial regulation experts have produced a comprehensive report examining the key developments this year.
• Includes over 30 practical articles and a calendar setting out the key dates for your diary.
• Key topics covered include MiFID II, SMCR / SIMR, cyber risk and how to survive a regulatory interview.