Court Invalidates US-EU Data Transfer Safe Harbor Program

The European Union’s highest court has, effective immediately, invalidated the US-EU Safe Harbor program relied upon by many companies as the basis for lawfully transferring and processing personal information from the EU to the United States. The October 6, 2015 decision by the Court of Justice of the European Union (CJEU) held that:

• The 2000/520 European Commission Decision that established the US-EU Safe Harbor is invalid and has been stricken down, based on its exceptions for government access to personal data; and
• EU national authorities have the power to investigate any claim that personal data subject to European laws is being transferred to a third country, like the United States, which has not been deemed to provide adequate protection to the data, and potentially to suspend such data flows.

Companies that have been relying on the Safe Harbor should promptly evaluate options for addressing this development. As described below, those options include alternative grounds for the authority to make data transfers and limitations on the data that are transferred. Goodwin Procter LLP held an informational Webinar to provide more insights into the decision and its practical impacts on companies on Friday, Oct. 9, at 2 p.m. EDT. ACCESS A RECORDING OF THIS WEBINAR>>

The Case and Decision

An Austrian national complained that Facebook’s Irish subsidiary transferred his personal data to the United States, where it was then capable of being accessed by the National Security Agency and other agencies. The Irish Data Protection Commissioner refused to investigate the complaint because the company was certified under the Safe Harbor program. The CJEU has now declared the Safe Harbor to be invalid and has sent the case back to the Commissioner, who will decide whether to suspend data flows between Facebook Ireland and Facebook USA.

What Should Safe Harbor Participants Do?

Given the Decision, adherence to the Safe Harbor is no longer sufficient to ensure the legitimacy of transfers of personal data from the EU to the US. Although this leaves any entity that relied solely on Safe Harbor exposed to possible claims that its data transfers are unlawful, we expect many regulators to allow companies some time to reorganize their programs and implement alternatives. Companies thus should promptly evaluate, identify, and prioritize data transfers for which they relied on the Safe Harbor, and should identify alternative or additional compliance mechanisms. Companies also should be prepared for less leeway in countries, such as Germany, where the Safe Harbor has long been subject to scrutiny.

There are various possible alternatives to the Safe Harbor. The best solution for any company will depend on its particular circumstances, and thus needs to be determined on a company-by-company basis in an informed manner. The alternatives include, among others:

• Consent. EU data protection laws permit the transfer of personal data where the individual has given his or her specific, informed, and freely-given consent to the transfer of his or her personal data.
• Model clauses. Companies exporting and importing EU personal data may rely on standard contractual clauses that have been approved by the European Commission. Companies will have to go through the time and expense of entering into the appropriate model clauses agreement with each EU data exporter.
• Binding Corporate Rules (BCRs). BCRs are an alternative compliance mechanism for companies sharing personal data with US group companies only. Because BCRs apply only to group companies, they are not appropriate for all data transfers.
• Anonymization of personal data. Companies may also consider whether there is an actual business need to transfer personal data from the EU to the US. If companies can rely on anonymous data instead of transferring actual personal data, that data would fall out of the scope of EU data protection laws.
• An Eventual Safe Harbors Replacement? There is hope for a Safe Harbor 2 accord and discussions towards this end are already far advanced. If such discussions are successful, companies that had relied upon the Safe Harbor may have a new self-regulatory regime in which to participate.

Further Implications

The decision by the CJEU will have additional far-reaching practical consequences:

• Existing commercial relationships, especially between data controllers and data processors (service providers to data controllers), will likely receive close scrutiny as controllers seek to ensure that any work done on their behalf meets applicable legal requirements. In many instances novel or unusual business models or industries that have thrived under the Safe Harbor program may face significant regulatory uncertainty and risk because alternatives may be difficult or impossible to implement.
• Pan-European approaches to compliance will continue to be challenging. Fragmented, country-by-country decision-making will continue at least in the near future, increasing legal costs and hindering market entry.
• Government surveillance programs will continue to have dramatic consequences for international commerce and for Internet and related technology developments.
• Many of the benefits of a free and open Internet may be threatened by or disrupted by decisions that encourage data localization and discourage free cross-border flows of information.

About Goodwin Procter’s Privacy & Cybersecurity Practice

Goodwin Procter’s Data, Privacy & Cybersecurity Practice leverages the firm’s core strengths, collaborating across the firm’s highly regarded technology, financial institutions, licensing, litigation and investigations, regulatory and appellate practices. This unique approach, focusing on client needs and value, enables us to engage specialists whose experience and leadership is framed by a holistic understanding of the nature and importance of information to modern enterprises.