Media Center

EU Court invalidates privacy ‘Safe Harbor’ – what does it mean for your business abroad?

October 30, 2015

By Louis Dejoie and Thomas Markey

European Union (EU) law bars companies conducting business in the EU from sending citizens’ personal information outside the EU unless certain guarantees of protection exist.

On Oct. 6, the Court of Justice of the European Union (CJEU) invalidated a Safe Harbor provision that allowed companies to transfer personal data from within the EU to the U.S., finding that the Safe Harbor failed to adequately protect EU citizens’ privacy. The Safe Harbor dated to a 2000 agreement between the EU and U.S. and applied to the personal data of customers and employees.

The recent decision stemmed from a grievance regarding Facebook’s treatment of users’ personal data. In 2013, Austrian student Maximillian Schrems complained to Ireland’s data privacy regulator that Facebook’s Irish subsidiary had transferred his personal data to the U.S. Schrems claimed that the Safe Harbor provided inadequate protection against surveillance by the U.S. National Security Agency (NSA); Schrems’s complaint followed Edward Snowden’s revelations regarding NSA surveillance practices. Ireland’s data privacy regulator declined to investigate and Schrems challenged this decision in an Irish court, which referred the case to the CJEU. As the EU’s highest court, the CJEU ruling is binding and cannot be appealed.

The international community’s reaction to the CJEU decision has been mixed. Privacy activists, including Schrems, hailed the decision as a major advance in personal privacy protection.

On the other hand, thousands of corporations have scrambled to navigate a period of uncertainty and assess their potential liability for now-illegal data transfers. U.S. Commerce Secretary Penny Pritzker was “deeply disappointed” by the decision, stating that it “creates significant uncertainty” for companies and consumers on both sides of the Atlantic. “Hanging in the balance is billions of dollars of trade in the online advertising business,” the Wall Street Journal reported.

The practical effect of the CJEU decision is to empower national data protection regulators within the EU to investigate and regulate data transfers, including transfers of customer and employee data from subsidiaries to their parent companies. EU regulators, while acknowledging the decision currently makes Safe Harbor-type transfers illegal, have stated they will refrain from aggressive enforcement actions until the end of January 2016. EU-US negotiations for a new Safe Harbor, which began before the CJEU decision, have taken on greater urgency. Although the parties have already found common ground on some issues, such as a U.S. commitment to greater governmental oversight of the Safe Harbor certification process, reaching a final agreement may take several more weeks. In the meantime, the European Commission is expected to issue guidance for companies regarding the implications of the CJEU ruling.

The two primary methods for sharing data absent the Safe Harbor are data protection clauses in contracts between data-sharing companies and binding, regulator-approved corporate rules for transfers between subsidiaries and/or parent companies. EU regulators have indicated that these methods, which are more time consuming and expensive to implement, remain lawful in the short term.

Aftershocks of the CJEU’s decision were felt beyond the EU and US borders when Israeli regulators revoked authorization for data transfers from Israel to the U.S. based on the Safe Harbor framework. Back on American soil, the House of Representatives moved with uncharacteristic speed to approve the Judicial Redress Act, which extends to EU citizens the same rights to judicial process that U.S. citizens enjoy when their personal information is misused by US law enforcement. EU citizens’ inability to sue in US courts was one reason for the CJEU decision.

In the coming weeks, companies who relied on the Safe Harbor should closely monitor Senate action on the Judicial Redress Act, any guidance issued by the European Commission, and ongoing negotiations between EU and US authorities regarding what some commentators have dubbed “Safe Harbor 2.0.”