The European Court of Justice invalidated the European Commission’s finding of U.S. “adequacy” for personal data transfer under Safe Harbor due to privacy concerns, exposing organizations to claims that data transfers reliant on Safe Harbor protections are unlawful.
You may have already seen headlines today about the decision of the Court of Justice of the European Union (CJEU) regarding substantial limitations to the effectiveness of the EU/US Safe Harbor program. Safe Harbor is the program that thousands of US companies have relied on for the past 15 years to permit transfers of personal data from Europe to the US, by committing to certain privacy and data security protections. This decision by the CJEU represents a seismic shift in law that will impact how almost every American company with European customers and users operates on a going forward basis.
What you need to know:
- As of today, the Safe Harbor program has been declared invalid by the CJEU, the EU’s highest court. The decision is not appealable.
- Individual EU nations may now elect to halt transfers of their citizens’ data to the US. In place of those transfers, these nations may demand that citizens’ data be stored in the country of origin, or they may elect to impose their own individual transfer rules. How each EU country responds will be determined in the coming weeks and months.
What you can do now:
- Large corporations, especially those with existing European subsidiaries, may choose to set up EU servers to store and process their EU-specific data from within the Eurozone, obviating the need for transfers outside of the EU. However, this option is very expensive and may be cost prohibitive for most US businesses.
- As an alternative to Safe Harbor, US businesses which import data from the EU may now rely on either: (1) the affirmative consent of each data subject (i.e., the individual whose data is being transferred), or (2) the adoption of specific contractual language commonly known as the “Standard Contractual Clauses” or “SCCs.” Those SCCs for such contracts have been pre-approved by the European Commission to permit data transfers to US entities in compliance therewith.
- The SCCs require any entity seeking to import or export data of EU citizens to a foreign country (in this case, the US) to make a series of representations that it will abide by certain standards for data security and limitations on data use. The SCCs also give EU data subjects certain rights with respect to their data, such as the ability to request access to all such data. Under the SCCs, data subjects have a private right of action against importers and exporters of their data (as well as any third-party subcontractors who have handled that data) for violations of those rights.
- Adopting the SCCs, as opposed to obtaining individual consent, is likely the better option for US businesses, as many experts believe that the CJEU will soon strike down user consent as invalid. Even in the event that they do not, such consents can be very difficult to obtain.
What to expect moving forward:
- In spite of the breadth of the ruling, experts do not anticipate seeing an immediate wave of enforcement actions by EU Data Protection Authorities. This means it is unlikely that your business will get notice of a European investigation tomorrow. Some of those EU authorities have already issued preliminary statements recognizing that it will take businesses time to adopt to the ruling.
- For the past two years the European Commission and the US Department of Commerce have been negotiating a new Safe Harbor framework. Those negotiations are expected to continue and could result in an acceptable replacement program in the future. The final sticking point in those negotiations (and, indeed, the major issue cited by the CJEU in striking down the current Safe Harbor regime) is said to concern surveillance conducted by the US government. The EU is seeking strict limitations on the scope of the surveillance demands that the US government places on private companies, including judicial review of government requests for private data.
While adoption of the SCCs should give your business and its European partners a greater sense of security, adoption is not as simple as cutting and pasting text into your new contracts. Your business should first conduct an analysis to determine if you are able to comply with new requirements – which are more stringent than those of the Safe Harbor program. Compliance may also require amending existing contracts with EU customers, vendors and any third party infrastructure providers you rely on for handling data.