Safe Harbor European Court Data Protection Ruling

On Oct. 6 of this year, the European Court of Justice (ECJ) gave a very important judgment about EU data protection law in the so-called Schrems case, where it ruled as follows:

• The EU Safe Harbor regime is invalid; and,
• National EU Member State data protection regulators have the power to investigate complaints about the adequacy of the level of protection of data transfers to the U.S., and to suspend data transfers if they conclude that the U.S. (or indeed any other jurisdiction outside the EEA) does not provide an adequate level of protection.

All U.S. businesses transferring personal data from the EU need to take note of this judgment and consider what to do as a result.

Background

Following the Edward Snowden U.S. surveillance revelations in 2013, an Austrian citizen and privacy activist, Maximillian Schrems, brought a legal challenge before the Irish High Court challenging his rejected complaint before the Irish data protection regulator. He had claimed before the Irish regulator that the U.S. does not offer protection against surveillance by its intelligence authorities of data transferred to the U.S. from the EU. In this case, Schrems' data was being transferred from Facebook's Irish subsidiary to the U.S.

Fifteen years ago, in 2000, the EU adopted the so-called Safe Harbor Decision, which provides a legal scheme for the adequate protection of personal data from the EU to the U.S., whereby U.S. businesses could self-certify.

Because this matter involved an interpretation of EU data protection law, the Irish court had to refer to the European Court (which acts as a kind of Supreme Court on questions of interpretation of EU law and sits in Luxembourg) on the question of whether the 2000 Safe Harbor Decision prevents a national data protection regulator from investigating a complaint claiming that a country does not ensure an adequate level of data protection, and, where appropriate, from also suspending the contested personal data transfer.

Not long before, on Sept. 23, the Advocate-General (who is a member of the European Court, but whose role is to act as a kind of legal adviser to the judges) gave his official legal Opinion. The judges largely followed this Opinion in their ruling where they decided that not only does a national court have such investigatory powers, but that the Safe Harbor Decision is invalid. See, Maximillian Schrems v Data Protection Commissioner, C-362/14.

What Happens Next

At press time, because the European Court's judgment binds the Irish court that referred the matter as regards the EU legal position, the Irish court will have to apply the ruling to the facts. Inevitably, the Irish data protection regulator will be required to examine Schrems' complaint swiftly and decide whether, under EU Data Protection Directive 95/46, the transfer of the data of Facebook's European subscribers to the U.S. should be suspended on the ground that the U.S. does not afford an adequate level of protection of personal data.

Consequences

In light of the European Court's ruling, the Safe Harbor regime no longer acts as a blanket exemption to the prohibition on transferring data outside the European Economic Area (which comprises the 28 EU Member States plus Iceland, Liechtenstein and Norway) or jurisdictions adduced by the European Commission to provide adequate protection of data (in the words of the EU Data Protection Directive, “third countries”).

Also as a result of the European Court's ruling, individual data protection regulators in the 28 EU Member States now have more power in that they can investigate the adequacy of the protection of data in third countries, and these regulators can suspend transfers to those countries if they conclude that protection is wanting, even if there has been a European Commission Decision to the contrary. This begs the question of whether other possible complaints might be brought before national EU Member State data protection regulators against U.S. Internet businesses such as Google, Yahoo, Microsoft and Apple in the same context. Whether the regulators are ready for this is one issue, but equally, some businesses may need to consider this as a possibility.

National regulators like the UK's Information Commission Office (ICO) were already issuing press releases on the day of the judgment in immediate response. The ICO's press release stated that it would take businesses “some time ' to review how they ensure that data is transferred to the U.S. in line with the law” and that they would be working with other EU Member State data regulators to issue guidance to help businesses. The ICO took care to point out that the European Court's ruling did not indicate that there was any increase in the threat to personal data, but, instead, that businesses must take steps to protect it. See, bit.ly/200rV1V.

Generally speaking, across Europe, data protection regulators embraced the European Court's ruling as a significant plus for data protection. This might primarily be driven by the fact that the ruling could help reduce complacency and thereby encourage data controllers to consider data transfers on their own merits, rather than simply signing up to a global scheme and forgetting about them. This is also in tune with the focus on so-called Privacy Impact Assessments in the proposed EU Data Protection Regulation that will replace the EU Data Protection Directive and is expected to be finalized either at the end of this year or early next year. See, http://bit.ly/1s9hpRf.

The European Commission, in its press conference on the day of the European Court's ruling, also stated that it remained fully committed to data transfers to the U.S., but at the same time, stressed that it had made 13 recommendations on how to make Safe Harbor safer following the Snowden revelations. As far as the proposed EU Data Protection Regulation is concerned, the European Commission stated that the ruling underlines the additional powers of data protection regulators set out in the proposed Regulation. By way of comment, although a key component of the proposed EU Data Protection Regulation is a “one-stop shop” for data protection compliance, the European Court's ruling, together with another headline European Court ruling the week before in the Weltimmo case, seems to be taking a different approach. See, Weltimmo s.r.o. v Nemzeti, Case C-230/14 (Oct. 1, 2015).

It should also be pointed out that the EU and the U.S. had already been in negotiations over replacing Safe Harbor, and no doubt the European Court's ruling has injected a new urgent impetus into this process.

The European Court's ruling has also been felt in Switzerland, where the regulator there, the Federal Data Protection and Information Commissioner, issued a press release the day after the ruling, stating that the agreement between Switzerland and the U.S. was also called into question by the ruling. The Swiss regulator recommended that Swiss organizations that transfer data to the U.S. should enter into contractual terms with their providers, and, that data should be stored by European providers on servers in Europe. See, bit.ly/1OUD1Ai.

What Can U.S. Businesses Do ?

Despite the apparent draconian nature of this ruling, businesses should not panic. Although the European Court's ruling does not provide a transition period concerning the invalidity of the Safe Harbor Decision, and so appears to have taken immediate effect, the European Commission and the national EU Member State data protection regulators have acknowledged that it will take time for businesses to address the consequences of this ruling, and that the regulators themselves need to come together in order to address how they themselves are going to deal with the consequences of the ruling. The latter will likely occur with the support of the European Commission and take place through the so-called Article 29 Working Party, which is an important forum of EU Member State data-protection regulators and the European Commission.

However, businesses must not stand still, but instead take active stock of the situation themselves.

A first step would be for a business to map out its data flows and ask questions about what information travels outside of the EU and on what basis. For example, is this done inter-group or is it done through third parties? Or is the business using Safe Harbor as an exemption or does it use another mechanism?

Contracts with third-party suppliers that use Safe Harbor should be checked, and depending on the circumstances, it might be time to start a dialogue with them. Equally, if the business itself acts as a supplier that relies on the safe harbor to legitimize its data processing activities, it will be important to ensure that the European Court's ruling does not put the business in breach of any of its contracts ' the business should consider reaching out to its affected customers.

Once the business has taken stock and had time to look into its situation, such as outlined above, it should consider the options. At press time, they are as follows:

• First, stop transferring personal data to the U.S. and, for example, site the business' servers in Europe. This may well appear to be a step too far for some businesses, but for others this might be a relatively easy switch.
• Second, a business can put in place so-called Model Form Data Transfer Agreements. In many ways, these are an easy fix. They are ready and available, as the European Commission set these out some time ago. It should be stressed, however, that a business must not change any of the terms contained in these Agreements. Also of significant importance is the fact that they are legally binding documents that impose obligations on both parties, which should be clearly understood, so a business should not enter into these lightly. They also need to be shared between a so-called data controller and data processor. For suppliers, this can be a time-consuming and paper-heavy process.
• Third, consider moving to so-called Binding Corporate Rules. These are being officially recognized in the proposed EU Data Protection Regulation, signaling their importance for the future. But do not consider this simply as a knee-jerk response as to what to do because Binding Corporate Rules require a corporate “buy-in” to the protection of personal data. This, in fact, is their strength. So those businesses that seriously adhered to Safe Harbor may well find that they are already a long way down the road toward making the changes required for Binding Corporate Rules. It must be stressed, however, that they are not an overnight solution, because once a business has its house in order, if it decides to take this route, it will have to negotiate Binding Corporate Rules with the data protection regulators in order to obtain approval. This can take some months; businesses may therefore want to consider getting in quick before the regulators are submerged by requests.

Reactions in the U.S.

These options, however, are “a series of bad choices,” says Miriam Wugmeister, partner and global co-chair of Morrison & Foerster's Privacy and Data Security Group. “They leave [U.S. companies] entirely vulnerable to any data protection authority taking the position that the recipient country does not provide adequate protection and thus suspending or prohibiting the transfer based on those other mechanisms.”

Baker & McKenzie partner Lothar Determann, a member of the firm's global privacy and information management working group, says that “U.S. companies that are registered under Safe Harbor will, for now, continue to be obligated to follow the Safe Harbor principles, because they promised that in their privacy policies to the data subjects. Unless they de-register and withdraw these promises with effect for the future, nothing will change for them as a matter of U.S. law. They should watch the developments about renegotiating the program. If [the program] doesn't get renegotiated at some point, then I would expect that companies will exit the program and will say it is because there is no benefit to them anymore. They will stop participating in it, which means that the Europeans would lose a great mechanism that they had for protecting European data in the U.S. and getting U.S. authorities and courts, potentially, to protect European data, not only under U.S. law but additionally under European law. That would go away if the companies exit.”

“Just as with the whistleblowing hotlines a few years ago,” Wugmesiter adds, “the ECJ opinion has set up a direct conflict of laws between Europe and the U.S. Companies may spend tremendous time and money in the next few weeks seeking an alternative which just does not exist. Waiting to see how this settles out may be the wisest course of action.”

David Ray, director at Huron Legal, says that “this decision has trade implications that could potentially be devastating to both multinational companies as well as businesses which rely on cloud services.”

Past the options outlined above, Ray says, “specific steps can be taken to design applications and databases to have the ability to segregate information based on provenance, and either apply different rules or remove it.”

Rajesh De, a partner at Mayer Brown, leader of the firm's cybersecurity & data privacy practice, and former general counsel of the National Security Agency, says the decision “really calls into question the stability of the EU standards and undermines the ability of EU to manage privacy in a holistic way. It also puts pressure on EU/U.S. regulators to negotiate an agreement.”

Companies, De continues, have “basically depended for a decade and a half on an understanding of the safe harbor rules, and overnight the ECJ has undermined those concepts. They will have to think about their data posture and potentially alter their infrastructure to comply with these new rules.”

Andr' Bywater and Gayle McFarlane are commercial lawyers with Cordery Compliance in London, where they focus on regulatory compliance, processes and investigations. Reach them at [email protected] and [email protected]. This article also contains reporting from this newsletter's ALM siblings Legaltech News, The Recorder, and Corporate Counsel.

On Oct. 6 of this year, the European Court of Justice (ECJ) gave a very important judgment about EU data protection law in the so-called Schrems case, where it ruled as follows:

• The EU Safe Harbor regime is invalid; and,
• National EU Member State data protection regulators have the power to investigate complaints about the adequacy of the level of protection of data transfers to the U.S., and to suspend data transfers if they conclude that the U.S. (or indeed any other jurisdiction outside the EEA) does not provide an adequate level of protection.

All U.S. businesses transferring personal data from the EU need to take note of this judgment and consider what to do as a result.

Background

Following the Edward Snowden U.S. surveillance revelations in 2013, an Austrian citizen and privacy activist, Maximillian Schrems, brought a legal challenge before the Irish High Court challenging his rejected complaint before the Irish data protection regulator. He had claimed before the Irish regulator that the U.S. does not offer protection against surveillance by its intelligence authorities of data transferred to the U.S. from the EU. In this case, Schrems' data was being transferred from Facebook's Irish subsidiary to the U.S.

Fifteen years ago, in 2000, the EU adopted the so-called Safe Harbor Decision, which provides a legal scheme for the adequate protection of personal data from the EU to the U.S., whereby U.S. businesses could self-certify.

Because this matter involved an interpretation of EU data protection law, the Irish court had to refer to the European Court (which acts as a kind of Supreme Court on questions of interpretation of EU law and sits in Luxembourg) on the question of whether the 2000 Safe Harbor Decision prevents a national data protection regulator from investigating a complaint claiming that a country does not ensure an adequate level of data protection, and, where appropriate, from also suspending the contested personal data transfer.

Not long before, on Sept. 23, the Advocate-General (who is a member of the European Court, but whose role is to act as a kind of legal adviser to the judges) gave his official legal Opinion. The judges largely followed this Opinion in their ruling where they decided that not only does a national court have such investigatory powers, but that the Safe Harbor Decision is invalid. See, Maximillian Schrems v Data Protection Commissioner, C-362/14.

What Happens Next

At press time, because the European Court's judgment binds the Irish court that referred the matter as regards the EU legal position, the Irish court will have to apply the ruling to the facts. Inevitably, the Irish data protection regulator will be required to examine Schrems' complaint swiftly and decide whether, under EU Data Protection Directive 95/46, the transfer of the data of Facebook's European subscribers to the U.S. should be suspended on the ground that the U.S. does not afford an adequate level of protection of personal data.

Consequences

In light of the European Court's ruling, the Safe Harbor regime no longer acts as a blanket exemption to the prohibition on transferring data outside the European Economic Area (which comprises the 28 EU Member States plus Iceland, Liechtenstein and Norway) or jurisdictions adduced by the European Commission to provide adequate protection of data (in the words of the EU Data Protection Directive, “third countries”).

Also as a result of the European Court's ruling, individual data protection regulators in the 28 EU Member States now have more power in that they can investigate the adequacy of the protection of data in third countries, and these regulators can suspend transfers to those countries if they conclude that protection is wanting, even if there has been a European Commission Decision to the contrary. This begs the question of whether other possible complaints might be brought before national EU Member State data protection regulators against U.S. Internet businesses such as Google, Yahoo, Microsoft and Apple in the same context. Whether the regulators are ready for this is one issue, but equally, some businesses may need to consider this as a possibility.

National regulators like the UK's Information Commission Office (ICO) were already issuing press releases on the day of the judgment in immediate response. The ICO's press release stated that it would take businesses “some time ' to review how they ensure that data is transferred to the U.S. in line with the law” and that they would be working with other EU Member State data regulators to issue guidance to help businesses. The ICO took care to point out that the European Court's ruling did not indicate that there was any increase in the threat to personal data, but, instead, that businesses must take steps to protect it. See, bit.ly/200rV1V.

Generally speaking, across Europe, data protection regulators embraced the European Court's ruling as a significant plus for data protection. This might primarily be driven by the fact that the ruling could help reduce complacency and thereby encourage data controllers to consider data transfers on their own merits, rather than simply signing up to a global scheme and forgetting about them. This is also in tune with the focus on so-called Privacy Impact Assessments in the proposed EU Data Protection Regulation that will replace the EU Data Protection Directive and is expected to be finalized either at the end of this year or early next year. See, http://bit.ly/1s9hpRf.

The European Commission, in its press conference on the day of the European Court's ruling, also stated that it remained fully committed to data transfers to the U.S., but at the same time, stressed that it had made 13 recommendations on how to make Safe Harbor safer following the Snowden revelations. As far as the proposed EU Data Protection Regulation is concerned, the European Commission stated that the ruling underlines the additional powers of data protection regulators set out in the proposed Regulation. By way of comment, although a key component of the proposed EU Data Protection Regulation is a “one-stop shop” for data protection compliance, the European Court's ruling, together with another headline European Court ruling the week before in the Weltimmo case, seems to be taking a different approach. See, Weltimmo s.r.o. v Nemzeti, Case C-230/14 (Oct. 1, 2015).

It should also be pointed out that the EU and the U.S. had already been in negotiations over replacing Safe Harbor, and no doubt the European Court's ruling has injected a new urgent impetus into this process.

The European Court's ruling has also been felt in Switzerland, where the regulator there, the Federal Data Protection and Information Commissioner, issued a press release the day after the ruling, stating that the agreement between Switzerland and the U.S. was also called into question by the ruling. The Swiss regulator recommended that Swiss organizations that transfer data to the U.S. should enter into contractual terms with their providers, and, that data should be stored by European providers on servers in Europe. See, bit.ly/1OUD1Ai.

What Can U.S. Businesses Do ?

Despite the apparent draconian nature of this ruling, businesses should not panic. Although the European Court's ruling does not provide a transition period concerning the invalidity of the Safe Harbor Decision, and so appears to have taken immediate effect, the European Commission and the national EU Member State data protection regulators have acknowledged that it will take time for businesses to address the consequences of this ruling, and that the regulators themselves need to come together in order to address how they themselves are going to deal with the consequences of the ruling. The latter will likely occur with the support of the European Commission and take place through the so-called Article 29 Working Party, which is an important forum of EU Member State data-protection regulators and the European Commission.

However, businesses must not stand still, but instead take active stock of the situation themselves.

A first step would be for a business to map out its data flows and ask questions about what information travels outside of the EU and on what basis. For example, is this done inter-group or is it done through third parties? Or is the business using Safe Harbor as an exemption or does it use another mechanism?

Contracts with third-party suppliers that use Safe Harbor should be checked, and depending on the circumstances, it might be time to start a dialogue with them. Equally, if the business itself acts as a supplier that relies on the safe harbor to legitimize its data processing activities, it will be important to ensure that the European Court's ruling does not put the business in breach of any of its contracts ' the business should consider reaching out to its affected customers.

Once the business has taken stock and had time to look into its situation, such as outlined above, it should consider the options. At press time, they are as follows:

• First, stop transferring personal data to the U.S. and, for example, site the business' servers in Europe. This may well appear to be a step too far for some businesses, but for others this might be a relatively easy switch.
• Second, a business can put in place so-called Model Form Data Transfer Agreements. In many ways, these are an easy fix. They are ready and available, as the European Commission set these out some time ago. It should be stressed, however, that a business must not change any of the terms contained in these Agreements. Also of significant importance is the fact that they are legally binding documents that impose obligations on both parties, which should be clearly understood, so a business should not enter into these lightly. They also need to be shared between a so-called data controller and data processor. For suppliers, this can be a time-consuming and paper-heavy process.
• Third, consider moving to so-called Binding Corporate Rules. These are being officially recognized in the proposed EU Data Protection Regulation, signaling their importance for the future. But do not consider this simply as a knee-jerk response as to what to do because Binding Corporate Rules require a corporate “buy-in” to the protection of personal data. This, in fact, is their strength. So those businesses that seriously adhered to Safe Harbor may well find that they are already a long way down the road toward making the changes required for Binding Corporate Rules. It must be stressed, however, that they are not an overnight solution, because once a business has its house in order, if it decides to take this route, it will have to negotiate Binding Corporate Rules with the data protection regulators in order to obtain approval. This can take some months; businesses may therefore want to consider getting in quick before the regulators are submerged by requests.

Reactions in the U.S.

These options, however, are “a series of bad choices,” says Miriam Wugmeister, partner and global co-chair of Morrison & Foerster's Privacy and Data Security Group. “They leave [U.S. companies] entirely vulnerable to any data protection authority taking the position that the recipient country does not provide adequate protection and thus suspending or prohibiting the transfer based on those other mechanisms.”

Baker & McKenzie partner Lothar Determann, a member of the firm's global privacy and information management working group, says that “U.S. companies that are registered under Safe Harbor will, for now, continue to be obligated to follow the Safe Harbor principles, because they promised that in their privacy policies to the data subjects. Unless they de-register and withdraw these promises with effect for the future, nothing will change for them as a matter of U.S. law. They should watch the developments about renegotiating the program. If [the program] doesn't get renegotiated at some point, then I would expect that companies will exit the program and will say it is because there is no benefit to them anymore. They will stop participating in it, which means that the Europeans would lose a great mechanism that they had for protecting European data in the U.S. and getting U.S. authorities and courts, potentially, to protect European data, not only under U.S. law but additionally under European law. That would go away if the companies exit.”

“Just as with the whistleblowing hotlines a few years ago,” Wugmesiter adds, “the ECJ opinion has set up a direct conflict of laws between Europe and the U.S. Companies may spend tremendous time and money in the next few weeks seeking an alternative which just does not exist. Waiting to see how this settles out may be the wisest course of action.”

David Ray, director at Huron Legal, says that “this decision has trade implications that could potentially be devastating to both multinational companies as well as businesses which rely on cloud services.”

Past the options outlined above, Ray says, “specific steps can be taken to design applications and databases to have the ability to segregate information based on provenance, and either apply different rules or remove it.”

Rajesh De, a partner at Mayer Brown, leader of the firm's cybersecurity & data privacy practice, and former general counsel of the National Security Agency, says the decision “really calls into question the stability of the EU standards and undermines the ability of EU to manage privacy in a holistic way. It also puts pressure on EU/U.S. regulators to negotiate an agreement.”

Companies, De continues, have “basically depended for a decade and a half on an understanding of the safe harbor rules, and overnight the ECJ has undermined those concepts. They will have to think about their data posture and potentially alter their infrastructure to comply with these new rules.”

Andr' Bywater and Gayle McFarlane are commercial lawyers with Cordery Compliance in London, where they focus on regulatory compliance, processes and investigations. Reach them at [email protected] and [email protected]. This article also contains reporting from this newsletter's ALM siblings Legaltech News, The Recorder, and Corporate Counsel.