European Union–United States Safe Harbor invalid
How will the new Safe Harbor ruling impact your business?
In a recent case filed after the Snowden revelations, the Court of Justice of the European Union (CJEU) has ruled that the EU–US Safe Harbor framework for the transfer of personal data from the European Union to the United States is invalid. More than 4,400 US-based organizations are likely to be effected by this ruling. On October 13, 2015, Deloitte Advisory conducted an informational session to explore the impact of the ruling, the alternatives available, and the critical steps organizations can take.
How will the new Safe Harbor ruling impact you?
Safe Harbor framework
1. What is the decision?
The CJEU recently ruled that a national data protection authority (DPA) must be able to examine, with complete independence, whether the transfer of a person’s data to a non-European Union (EU) country complies with the requirements laid down by the EU Data Protection Directive. The CJEU further confirmed that it, alone, can declare a European Commission Decision invalid, and therefore went on to investigate the adequacy of the United States (US) Safe Harbor framework.
The CJEU decided to declare the US Safe Harbor agreement invalid for the following reasons:
- National security, public interest, and law enforcement requirements of the United States prevail over the Safe Harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by the scheme where they conflict with such requirements
- US authorities were able to access the personal data transferred from the European Union to the United States and process it in a way incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security
- The persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased
The decision does not order an immediate end to cross-border data transfers. It rules that national regulators have the right to investigate and suspend them if the destination country/company does not provide sufficient protections, creating potential new legal risks for companies.
2. What does the decision mean?
A consequence of the CJEU ruling is that one of the most important and most widely used mechanisms for transfers of personal data between the Eurpean Union and the United States has been declared invalid, forcing 4,400 US-based companies to revise their cross-border data transfer strategy.
3. What are the alternatives?
1. Companies may use alternative approved methods to transfer personal data outside of the European Union, such as:
a. Model contracts
b. Binding corporate rules
c. Seek free and informed consent from all individuals whose information is collected in Europe
d. Direct approval from EU data protection authorities
2. Companies could also state that they will not allow any government access to personal information received from Europe. However, this potentially places companies at risk of ignoring a valid government request, such as a subpoena or court order.
4. What are the next steps in Europe?
The commission will shortly issue guidance to EU DPAs and businesses in order to provide a uniform interpretation of the ruling across the European Union, reinstate legal certainty for businesses, and safeguard the transatlantic flow of data. The US and European regulators are continuing negotiations aimed at updating the Safe Harbor agreement, but the timetable is unclear. In addition, many large technology companies have already established backup legal mechanisms in various countries in the European Union to avoid clashes with regulators.
5. How can Deloitte help?
Deloitte has been helping clients address privacy and data protection challenges, including those associated with cross border data transfers, for over 15 years. We are part of a global practice of trained, certified, and experienced privacy and data protection professionals. We can help assess the organizational impact of the recent Safe Harbor ruling and help clients define a strategy for implementing alternate cross border transfer methods. Through our access to a global network of member firms, we can also assist with the implementation of alternate cross border transfer methods such as model contracts and binding corporate rules.