CJEU’s Decision Invalidates Safe Harbor (October 2015)

In our recent Flash News, we reported that the Advocate General to the Court of Justice of the European (CJEU) gave an opinion that the US – EU Safe Harbor, a widely used legal instrument allowing for transfers of personal data from the EU to US organizations that have self-certified their compliance with the Safe Harbor Privacy Principles, should be declared invalid. On October 6, the CJEU handed down its judgment in Schrems v. Data Protection Commissioner declaring Safe Harbor invalid.

The CJEU reasoned, inter alia, that Safe Harbor does not provide an adequate level of data protection because US public authorities are not themselves subject to it and may (or may be even bound to) disregard these protective rules; Safe Harbor is thus not able to prevent large-scale access by US public authorities to data transferred from the EU.

Further, the CJEU held that national data protection authorities in the EU have the power to examine the lawfulness of personal data transfers to third (non-EU) countries and challenge them in courts, even where such transfers are based on a Commission’s prior ‘adequacy’ decision (i.e. a finding that a third country ensures an adequate level of data protection). The CJEU, however, reserved to itself the power to invalidate such Commission adequacy decisions, similarly as it did with Safe Harbor.

The CJEU’s decision is non-appealable and takes immediate effect.

The ruling will have an immense impact on international businesses relying on trans-Atlantic data transfers; it will affect not only tech companies but also multinationals which may no longer rely on Safe Harbor to legitimize their intra-group employee and customer data transfers from the EU to the US. The decision will likely cause most worries to EU-based data processors who generally cannot generally rely on some of the alternative data transfers mechanisms such as the EU standard contractual clauses and who typically used Safe Harbor to justify data exports to their US sub-processors (typically, cloud service providers).

In the wake of the CJEU’s ruling, the Commission rushed to release a statement that it remains committed to ensuring that transatlantic data flows, “the backbone of our economy”, continue, and promised to issue clear guidance to national data protection authorities on how to deal with data transfers to the US. The Commission also stressed the currently available alternatives to Safe Harbor. However, not all these alternative options may be suitable to commercial data transfers. For example, relying on the individual data subject’s consent is not practically feasible in many scenarios involving systematic data transfers, and raises issues of the enforceability of an informed and voluntary consent. Similarly, the applicability of Binding Corporate Rules (BCR) is limited to intra-group cross border transfers only and not to transfers of data to non-affiliated service providers (e.g. data centers); moreover, the implementation of BCR can be complex, costly and time consuming. For most companies exchanging data across the Atlantic, the implementation of standard contractual clauses approved and published by the Commission into their contracts will thus be the only really practical option – at least for the time being. Big hopes are now attached to the ongoing renegotiation of the Safe Harbor that promises to offer a new, modified and more robust Safe Harbor.

In light of the CJEU’s ruling, it is prudent for European businesses to act quickly and asses their current data transfer arrangements, identify data transfers conducted under Safe Harbor, and implement the most appropriate substitute mechanisms allowing for a lawful flow of personal data to the United States.