European Court Of Justice Rules US-EU Safe Harbor Invalid

Everett Monroe
October 9, 2015

This week the European Court of Justice issued a judgment in the case of Maximillian Schrems v. Data Protection Commissioner finding that the US-EU Safe Harbor is invalid for failing to provide adequate limitations on data processing for national security purposes.

The US Department of Commerce and the European Commission negotiated the Safe Harbor framework to provide adequate privacy protections for the personal information of European data subjects transferred to businesses in the United States. US companies participating in the Safe Harbor self-certified to the Department of Commerce that they would abide by seven privacy principles: notice, choice, onward transfer, security, data integrity, access, and enforcement.

The decision from the European Court of Justice removes this protection for US businesses seeking to transfer data from European entities and individuals. The judgment also increases the obligations on national data protection authorities to more closely monitor the adequacy of data transfer mechanisms and to depend less on the European Commission’s authority. Businesses in the US participated in the Safe Harbor to get approval to transfer data out of Europe without seeking approval from each individual EU country. It removed the need to get 28 different approvals for Europe wide business transactions, and protected cloud service providers from being forced to maintain separate European servers. It eased the way for cooperation between US and EU businesses, and lowered barriers for data transfers between US companies and their European subsidiaries.

Responses from US regulatory authorities have been guarded. The Chairman of the Federal Trade Commission, the primary enforcement body for the Safe Harbor in the United States, issued a short statement that “we will continue to work together with our European colleagues to develop effective solutions that protect consumer privacy with respect to cross-border data transfers.” The Department of Commerce expressed deep disappointment in the decision and called for an expedited release of the Updated Safe Harbor Framework, noting that it is prepared to work with the Commission to address uncertainty created by the Court’s decision. Meanwhile, the Article 29 working group, a body made up of the national data protection authorities and representatives from EU governing institutions, announced a meeting this week to consider what guidance to provide European and United States organizations in the wake of the decision.

The Court’s Judgment should spur ongoing efforts to revise the Safe Harbor and increase cooperation between US and EU authorities. The Department of Commerce and the European Commission were already negotiating updates to the Safe Harbor, and the United States and European Union had just completed negotiations to allow for greater information sharing for law enforcement, dependent upon the passage of US legislation that would grant European citizens the ability to challenge law enforcement surveillance in US Courts.

For now, the decision has created uncertainty and regulatory complexity for US businesses and their vendors that transfer European citizens’ personal data from the EU. Binding corporate rules, affirmative consent from the data subject, and model contract clauses, while all still valid means of permitting data transfer out of Europe, come with a patchwork of regulatory approvals and differing standards across the EU. Further, it is not clear that these mechanisms would satisfy the Court’s concerns about the perceived lack of limitations on national security surveillance. Both US and EU companies will have to look carefully at what personal data they transfer and how best to comply with European data protection requirements.

Hanson Bridgett’s Privacy, Data Security and Information Governance attorneys assists clients in complying with data privacy regulations, and will provide updates as guidance from European and US authorities becomes available.