On October 6, 2015, the Court of Justice of the European Union (“CJEU”), the European Union’s highest court, issued a groundbreaking judgment in the Schrems v. Facebook case, which has potential implications for the Safe Harbor regime and the practices of US corporations that receive personal data from the European Union.
What is Safe Harbor?
Under EU law, there is a prohibition on transferring personal data to a country outside the European Economic Area (EEA) unless that country ensures an “adequate level of protection” for that personal data. The European Commission has certified that certain non-EEA countries do provide “adequate protection”—these countries include Argentina, Canada, Israel, New Zealand, Switzerland and Uruguay. The United States does not enjoy an adequate level of protection however, US-based companies were able to receive transfers of personal data if they self-certified under a “Safe Harbor” scheme designed by the US and EU regulators more than a decade ago. However, even prior to the Schrems case, the Safe Harbor scheme has been heavily criticized due (in part) to perceived mass surveillance practices by the US authorities with regard to personal data of EU citizens held by US corporations.
Who is Max Schrems and what is his complaint?
Max Schrems, an Austrian citizen, objected to the transfer of his Facebook account data from Facebook’s subsidiary in Ireland to Facebook Inc.’s servers in the United States. His complaint to the Irish national data protection authority was precipitated by Edward Snowden’s disclosures regarding certain alleged intelligence and surveillance practices of the US government. Mr. Schrems asserted that the United States does not afford an adequate level of protection for transferred data, as required by the EU Data Protection Directive. On appeal from the Irish High Court to the EJEU, the court considered and ruled on two issues:
1. The validity of the Safe Harbor regime in relation to data transfer to the United States:
Here the court held that the decision of the Commission that Safe Harbor provides adequate protection is invalid. In doing so, it highlighted a number of perceived deficiencies of the Safe Harbor regime, including that “national security, public interest, or law enforcement requirements have primacy over the Safe Harbor principles … .”
2. Whether national data protection authorities in EU member states can suspend international data transfers, even if the Commission has made a ruling that the receiving country is adequate (this question not being limited only to US transfers)
On this issue, the court held that the national data protection authorities could suspend such international transfers following investigation, notwithstanding any previous ruling of adequacy by the Commission with regards to that country.
The CJEU’s decision has left significant uncertainty for US technology companies that rely on the Safe Harbor framework to be able to process and use personal data received from the European Union, in industries that span from online advertising to social media, cloud services, digital health care and IoT (Internet of Things) applications.
The immediate effect of the CJEU’s decision is that any transfer of personal data to the United States from the European Union based on Safe Harbor will, therefore, potentially be subject to investigation and enforcement by EU national data protection authorities.
However, it is unlikely that the CJEU’s decision will lead to mass enforcement in the immediate term. Following the CJEU ruling, European Commission’s First Vice-President Timmermans and Commissioner Jourová held a press conference on the Safe Harbor framework, where they identified as the priorities of the European Commission “the protection of personal data transferred across the Atlantic,” “the continuation of transatlantic data flows, which are important for our economy, with adequate safeguards,” and “the uniform application of EU law in the internal market” and promised to “come forward with clear guidance for national data protection authorities on how to deal with data transfer requests to the US, in the light of the ruling.” The market awaits this much-needed guidance.
What should US technology companies do?
US technology companies relying on the Safe Harbor framework to transfer personal data to the United States will have to consider alternative transfer mechanisms in order to continue to do so.
Companies that act as “data processors” under the EU Data Protection Directive should also expect reactions from their European “controllers” and will need to evaluate the appropriate way to handle their customer relationships. It is not just their interpretation of this decision that is important, it is their customers’ interpretation that may have the most impact.
The immediate suspension of the Safe Harbor framework without any grace period also raises a very practical question as to what could reasonably be expected of companies that have been relying in good faith on the Safe Harbor framework, before the Commission provides the “clear guidance” mentioned above. However, companies should consider whether any steps could be taken in the near term to mitigate any enforcement risk, e.g., by improving disclosures in their privacy policies, avoiding collecting data—particularly if sensitive—that is not critical to the company’s business operations, or de-identifying data prior to the transfer in situations where the US company does not need to access personally identifiable information. Companies should also consider reviewing their existing vendor or customer agreements and assessing whether any revisions are required in light of the CJEU’s decision.
Hopefully, the CJEU’s decision will accelerate the current discussions between the United States and the European Commission to develop a successor framework to the Safe Harbor framework. Fenwick & West is monitoring these developments and is working with local counsel in the European Union to help our US-based clients navigate the issues described in this alert.
1 Speaking points available at http://europa.eu/rapid/press-release_STATEMENT-15-5782_en.htm.