ECJ declares Safe Harbor Arrange­ment invalid

ECJ declares Safe Harbor Arrangement invalid – Material Impact for Data Transfers to the USA

In its judgement of October 6, 2015, the European Court of Justice (ECJ) has declared invalid the so-called Safe Harbor Arrangement between the EU Commission and the USA. In consequence thereof transfer of personal data from Europe to companies based in the USA may no longer be based on the Safe Harbor certification of a US data importer. For many companies the currently chosen legal basis for data transfer to service providers and companies in the USA has been withdrawn. Affected by the ECJ judgement are also transfers of personal data between European and American group companies, which mostly have been based exclusively on „Safe Harbor“.

Safe Harbor Arrangement between the USA and the EU Commission

Pursuant to the EU Data Protection Directive (Directive 95/46/EC), personal data may only flow to other bodies (e.g. companies) in countries outside the EU if the data subject has consented to the transfer of data or if there is a corresponding contractual agreement between the body transferring the data and the body receiving the data. A precondition for transferring personal data on the basis of a contractual agreement is, however, that the body receiving the data allows for sufficient protection of the data. It is crucial here that there is a level of data protection in the country receiving the personal data which corresponds to the level within the EU.

Such a sufficiently high level of data protection does not generally exist in the USA. However, in order to facilitate the flow of data with the USA the EU Commission and the USA agreed to a so called “safe harbor” arrangement (Commission Decision 2000/520/EC) in the year 2000. US companies can sign up to an agreement to follow the safe harbor principles for processing data and be certified accordingly by the US Department of Commerce.

If a US company is certified as a safe harbor company, personal data can be transferred to the USA, saved and processed without any further requirements (e.g. special consent by the data subject) in order to manage contractual relationships or to process orders from countries outside the EU.

ECJ Ruling dated October 6, 2015

In its ruling dated October 6, 2015 (Case No.: C-362/14), the European Court of Justice (ECJ) has now ascertained, however, that personal data are not sufficiently protected in the USA even if the respective US company is a certified safe harbor company. The origin of the dispute was legal action by an Austrian who objected to the fact that the European subsidiary of the Facebook social network with its registered office in Dublin/Ireland transferred and processed personal data of Facebook users to servers in the USA. He was of the opinion that his personal data were insufficiently protected in the USA from access by US security agencies.

The ECJ essentially stated that although the safe harbor arrangement applied to those American companies who had signed up to it, it must still be taken into account when ascertaining an adequate level of data protection in the USA that the requirements of national security and public interest as well as the application of US law always had priority over the safe harbor principles. The US companies were therefore obliged not to apply the safe harbor principles when they conflicted with such provisions or US law. The safe harbor arrangement does not offer a basis to prevent interventions by American authorities in the fundamental rights of the persons concerned, which interventions the EU considers to be unjustified.

Against this background the ECJ declared the safe harbor arrangement, i.e. the 2000/520/EC decision by the EU Commission, to be invalid and therefore withdrew the legal basis for transferring personal data to the USA by way of the safe harbor certification.

Effects of the ECJ Ruling on Data Transfers into and with the USA

The ECJ ruling places considerable practical challenges on European companies which transfer personal data to the USA both within a corporate group (e.g. employee data) and to third party companies (e.g. cloud service providers). While the safe harbor arrangement was previously sufficient to cover such data transfer prior to the ECJ ruling, the transfer of personal data to the USA can now only be justified by individual consent, EU standard contractual clauses or existing binding corporate rules (BCR).

It should be noted with respect to EU standard contractual clauses and BCR that the independent data protection authorities of the German central government and the federal states notified in a policy document dated October 26, 2015, that approvals would in the meantime no longer be issued for BCR and that both instruments should be reviewed for justifying the transfer of data to the USA in view of the ECJ decision. A binding statement from both the German and European data protection authorities (Art. 29 Working Party) has been promised for the end of January 2016. If a decision is made here that neither EU standard contractual clauses nor BCR can justify the transfer of personal data to the USA, it will only be possible to justify such transfer on the basis of individual declarations of consent by the data subject.

We therefore urgently advise a detailed review of data protection and data transfers and that appropriate modifications are made in order to avoid civil or even criminal sanctions. Despite this it remains to be hoped that the ECJ decision will mean that the negotiations between the EU and USA which have been ongoing since 2013 to revise the safe harbor arrangement will now regain momentum so that new binding regulations will be created as soon as possible in the interest of legal security for the transatlantic transfer of data.