European Union - United States Safe Harbor deemed invalid
The Court of Justice of the European Union (CJEU) recently ruled that a national Data Protection Authority (“DPA”) must be able to examine, with complete independence, whether the transfer of a person’s data to a non-European Union (“EU”) country complies with the requirements laid down by the EU Data Protection Directive.
12 October 2015
What is the decision?
The CJEU further confirmed that it, alone, can declare a European Commission Decision invalid, and therefore went on to investigate the adequacy of the United States (“US”) Safe Harbor framework. The CJEU decided to declare the US Safe Harbor agreement invalid for the following reasons:
- National security, public interest and law enforcement requirements of the United States prevail over the Safe Harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by the scheme where they conflict with such requirements;
- United States authorities were able to access the personal data transferred from the EU to the United States and process it in a way incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security; and
- The persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.
The decision does not order an immediate end to cross-border data transfers. It rules that national regulators have the right to investigate and suspend them if the destination country/company does not provide sufficient protections, creating potential new legal risks for companies.
What does the decision mean?
The ruling is final and has immediate effect. A consequence of the CJEU ruling is that one of the most important and most widely used mechanisms for transfers of personal data between the EU and the US has been declared invalid, forcing 4,400 US-based companies to revise their cross-border data transfer strategy. Failure to take action may open yourself up to claims and investigations by local Data Protection Authorities, customers, employees (including works councils) as well as uncertainty on how to access, share and use personal data within your global organization in a compliant manner.
Looking forward: What can you do today?
For organizations that think they may be affected by this ruling of the CJEU, we suggest to verify whether your organization is relying on the EU-US Safe Harbor Decision, or makes use of any third party service providers that are transferring personal data to the US. If so, you might consider already taking the following steps :
- Ensure that you have an efficient process for responding to Safe Harbor-related queries consistently throughout your organization.
- Raise awareness within you organization on the course of action (especially HR, Legal, Communications, Procurement, Marketing and Sales departments).
- Check EU local DPA registrations, policies etc. referring to Safe Harbor: gather privacy program policies and procedures, and prepare responses to possible inquiries from DPA/clients/employees and Works Councils.
- Start auditing any contracts with third party vendors to identify and prioritize risks (eg Cloud, CRM etc.).
- Prepare materials and gather documentation to perform a risk assessment.
- Do not panic, but do not do nothing, start in a prioritized, step by step and well documented manner.
Companies need to consider alternative approved methods to transfer personal data outside of the EU, such as:
- Model Contracts;
- Binding Corporate Rules (BCRs);
- Seek free and informed consent from all individuals whose information is collected in Europe; or
- Direct approval from EU Data Protection Authorities
What are the next steps in Europe?
The Commission will shortly issue guidance to EU DPAs and businesses in order to provide a uniform interpretation of the ruling across the EU, reinstate legal certainty for businesses, and safeguard the transatlantic flow of data. The US and European regulators are continuing negotiations aimed at updating the Safe Harbor agreement, but the timetable is unclear. In addition, many large technology companies have already established backup legal mechanisms in various countries in the EU to avoid clashes with regulators.
How can Deloitte help?
Should you require more information on the specific consequences for your organization, please contact Erik Luysterborg, EMEA Data Protection and Privacy Leader based in the Deloitte Belgian office in Diegem. The consequences of this decision will differ per organization and we are pleased to provide you with insights, tailored to your organization.
Deloitte Belgium has been helping clients address privacy and data protection challenges, including those associated with cross border data transfers, for over 15 years. We are considered the center of excellence for Europe combining both legal and technical trained, certified and experienced security and privacy experts. We can help assess the organizational impact of the recent Safe Harbor ruling and help clients define a strategy for implementing alternate cross border transfer methods. Through our access to a global network of member firms, we can also assist with the implementation of alternate cross border transfer methods such as model contracts and binding corporate rules.
If you are interested in discussing the recent Safe Harbor ruling, please contact Erik Luysterborg.