EU’s highest court declares Safe Harbor invalid
Consequences and what to do next
The Court of Justice of the European Union (CJEU) has ruled on October 6, 2015 that the EU-US Safe Harbor Framework for transferring personal data from the EU to the US is invalid.
Update 11 November 2015
On Friday 6 November 2015, the European Commission has released its guidance on transatlantic data transfers in response to the ruling of the Court of Justice of the European Union (CJEU) discussed below. This is the guidance that was referred to by the Commission’s First Vice-President Timmermans and Commissioner Jourová in their press conference of 6 October 2015. The Commission further released a press statement accompanying the guidance that contains interesting information on their next steps.
In the guidance the Commission reiterates what has been said by the Article 29 Working Party (WP29): Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) can, for now, still be used as a basis for data transfers to the United States (US), as can all other derogations expressly listed in letters (a) to (f) of Article 26(1) of Directive 95/46/EC.
The Commission however admits that individual Data Protection Authorities (DPAs) have the right to examine SSCs (and BCRs, one would assume, although that it not stated) to verify whether these provide enough protection. Furthermore, the Commission announced it will revisit all adequacy decisions made in the past, to make sure that no language in there will bar local DPAs from assessing true adequacy of a country’s data protection rules if they wish to do so in individual cases. Both these statements address the second point on the basis of which the CJEU declared the EU - US Safe Harbor Decision invalid: the fact that the Decision restricts local DPAs to examine individual cases in complete independence – a restriction conflicting with Directive 95/46/EC and therefore not allowed.
The CJEU’s first point (that US laws on the power and reach of intelligence agencies in collecting personal data, overrides EU data protection in a manner that infringes on EU citizens’ fundamental rights) has not been addressed by the Commission in its guidance.
The issued press release further states that it is the Commission’s goal to establish a renewed and safe framework on transfer of personal data – a second iteration of the Safe Harbor framework, sometimes already referred to as Safe Harbor 2.0. In order to reach this goal, the Commission announces it has stepped up negotiations with the US, with the objective to conclude these discussions within three months.
Update 19 October 2015
On Friday 16 October 2015, the Article 29 Working Party (WP29) released a statement on the ruling of the Court of Justice of the European Union (CJEU) discussed below. In the statement the WP29 calls on the Member States and the European Institutions to find political, legal and technical solutions enabling data transfers to the US that respect fundamental rights. It urges them to do so before the end of January, 2016.
For individual organisations that so far relied on the EU - US Safe Harbor scheme, the WP29 has the message that for the moment Standard Contractual Clauses and Binding Corporate Rules can still be used. It adds however that it will continue its analysis on the impact of the CJEU judgement on these other transfer tools.
So far, guidance by the European Commission as promised by its First Vice-President Timmermans and Commissioner Jourová in their press conference of 6 October 2015 has not yet been released.
In principle, according to European Data Protection law, organisations may only transfer data to countries outside the EU if that country in question ensures an adequate level of protection. Under the EU-US Safe Harbor scheme, the United States had been deemed by the European Commission to ensure an adequate level of protection of transferred personal data (i.e. protection equal to EU standards).
The Court of Justice of the European Union decided to declare the EU-US Safe Harbor Decision invalid for the following reasons:
- National security, public interest and law enforcement requirements of the United States prevail over the Safe Harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by the scheme where they conflict with such requirements;
- United States authorities were able to access the personal data transferred from the EU to the United States and process it in a way incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security;
- The persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased. The CJEU only declared it invalid. It did not foresee any grace period or transition period.
Consequences: revising data transfer strategy
A consequence of the CJEU ruling is that one of the most important and most used legal frameworks for transfers of personal data between the EU and the US has been declared invalid, forcing 4,400 US-based companies to revise their data transfer strategy in the short term.
The European Commission will shortly issue guidance to national Data Protections Authorities and businesses in order to ensure a uniform interpretation of the ruling across the EU, reinstate legal certainty for businesses and safeguard the transatlantic flow of data.
What to do next
For organisations that think they may be affected by this ruling of the CJEU, we suggest to verify whether your organisation is relying on the EU-US Safe Harbor Decision, or makes use of any service providers that are, for transferring personal data to the US.
If so, and should you require more information on the specific consequences for your organisation, please contact Annika Sponselee or Jan-Jan Lowijs from the Deloitte Privacy Team. The consequences of this decision will differ per organization and we are pleased to provide you with insights, tailored to your organisation.
The Deloitte Netherlands Privacy Team remains in contact with the leaders of the Global Deloitte Privacy Practice while this is developing, to ensure we can advise global clients on the correct steps to take. As privacy requires a legal, technical and organisational approach, we have our specialists bundled in one multidisciplinary privacy team enabling all round solution.
Please check our website for any updates.