Last month, judges from the European Court of Justice, the European Union’s top court, issued a judgment striking down a 15-year old agreement, known as the Safe Harbor framework, which allowed American and European businesses to freely move personal data between the two regions. This ruling impacts nearly 4,000 businesses that currently rely on Safe Harbor framework to transfer data between the U.S. and Europe and requires all businesses to revaluate their compliance with Europeans standards.
The Court’s decision involved a suit brought by Max Schrems, an Austrian citizen, and involved Facebook’s transfer of data from Ireland to the U.S. Mr. Schrems alleged that Facebook data transfer to the U.S., in light of the Edward Snowden disclosure of US government intelligence data in 2013, violated his rights because the laws of the U.S. do not adequately protect personal data. The lower court rejected Mr. Schrems’ complaint holding that the Safe Harbor framework established the adequacy of protection in the U.S. when the EU adopted the Safe Harbor framework. However, the Court reversed and found the Safe Harbor framework invalid. The Court held that the lower court failed to sufficiently examine the data protection standards in the U.S. to ensure that the level of protection of fundamental rights is equivalent to those guaranteed in the EU. Further, the Court noted that this ruling should not prevent national data privacy authorities (DPAs) from examining whether the transfer of personal data to other countries complies with the requirements of EU data protection laws.
Consequently, all data transfers made solely under Safe Harbor framework are invalid. All businesses should thus review their contracts, data protection policies and terms and conditions in light this ruling. Businesses should redraft their contracts to be in compliance with European standards, which remain somewhat unclear. To provide some clarification, on October 16, 2015, Article 29 Working Party (the “Working Party”), an independent advisory panel tasked with providing expert advice to the EU Commission on data privacy released a brief statement (the “Statement”) to national data privacy authorities, explaining the ruling and how DPAs should take enforcement action. The Working Party noted, “transfers that are still taking place under the Safe Harbor decisions after the [Schrems] judgment are lawful.” Thus, the Working Party recommended global businesses to utilize Standard Contractual Clauses and Binding Corporate Rules to be in compliance with the European Standard. Further, the Working Party urged American and European authorities to promptly draft a Safe Harbor 2.0 framework by January 2016 to standardize data privacy protections in light of the increase private data transfers.
Further, American and Europeans authorities have expedited their efforts to draft the Safe Harbor 2.0 framework by January 2016. However, some commentators question whether a “Safe Harbor 2.0” will have real benefits for U.S. controllers as a practical matter when compared to transfer methods under Art 26 of Directive 95/46. These commentators note that days where U.S. companies could get away with Safe Harbor principles (SHPs) are now over. Any new Safe Harbor framework must pass the “essentially equivalent” test to survive another legal challenge at the European Court of Justice. It is reasonably foreseeable that U.S. companies will still have to utilize Standard Contractual Clauses and Binding Corporate Rules to bridge the gap moving forward. Thus, U.S. companies would be well advised to consider taking affirmative steps to mitigate these risks.
Gibbons will continue to monitor further developments in this matter and publish any major developments.