- What was the Safe Harbor framework and why was it needed?
- What did the Court of Justice of the European Union say?
- Can the decision be challenged?
- Does the decision preclude all EEA-US data transfers?
- What has the reaction been?
- When am I 'transferring' data out of the EEA?
- What will happen if I continue to rely on Safe Harbor for international transfers?
- What do I need to do if I relied on Safe Harbor?
- Will consent from individuals justify non-EEA data transfers?
- Will there be a new Safe Harbor regime?
- Are data transfers from other countries to the US affected?
In 2000, the United States Department of Commerce and the European Commission agreed the 'Safe Harbor' regime as a means to ensure necessary protection for European individuals whose personal data is transferred from within the European Economic Area to the US.
The Data Protection Directive requires countries within the EEA to implement laws prohibiting the transfer of personal data to a non-EEA country unless that 'third country' ensures an 'adequate level of protection'. The EEA comprises 31 countries – Norway, Iceland, Liechtenstein and all 28 Member States of the European Union.
Safe Harbor allowed US companies to self-certify a commitment to protect personal data in accordance with standards which were accepted to meet European requirements. The European Commission's 'Safe Harbor Decision' confirmed that transfers to such companies were deemed 'adequately protected'. Over 4000 US companies have signed up to the regime.
The decision in Maximillian Schrems v Data Protection Commissioner invalidated the Safe Harbor Decision with immediate effect. From 6 October 2015, the Safe Harbor regime therefore ceased to provide a valid legal basis for EEA-US transfers of all types of personal data.
The Court stated that this was necessary because the Safe Harbor Decision:
- contained a derogation allowing US Companies that had self-certified under the regime to share data for national security purposes. However, the agencies with whom data is shared in such circumstances fell outside of the Safe Harbor safeguards and the Safe Harbor Decision did not address whether there was 'adequate' protection for data so processed; and
- established a disproportionately high threshold for national Data Protection Authorities to intervene and secure protection for individuals. The Commission did not have the authority to restrict the independence of DPAs in this way.
For a full summary of the facts, an analysis of the judgment and a link to a recorded webinar discussing its implications for businesses, please see our bulletin here.
The Court of Justice is the highest court in the European Union. As such, the ruling cannot be appealed or challenged.
No. Safe Harbor was only one of a number of approved methods by which personal data can be legally transferred outside of the EEA. These other legal bases include:
- the use of European Commission approved 'Standard Contractual Clauses'. These model contracts (1) impose non-negotiable obligations on contracting entities to ensure protection for relevant individuals and (2) allow individuals to enforce corresponding rights and obtain compensation in the event of a breach;
- the use of 'Binding Corporate Rules' to facilitate data flows within a corporate group. These rules must be approved by the relevant European authorities;
- reliance on a number of exemptions. The Data Protection Directive states, for example, that personal data may be transferred to a non-EEA country that does not ensure 'adequate protection' where the transfer is necessary for the performance of a contract between a company and the individual, where necessary in the public interest or where the individual has given their unambiguous consent to the international transfer; and
- individual DPAs may accept other country-specific justifications for non-EEA transfers. In the United Kingdom, for example, data controllers may 'self-assess' the adequacy of protection offered in the third country. The UK is unusual in permitting this.
There is uncertainty as to whether these alternative legal bases are affected by the ruling. Although it does not make any explicit conclusions on the wider state of US law and practice, the judgment does make a number of statements against which they should be judged. It states, for example, that legislation permitting public authorities access on a generalised basis to the content of electronic communications, and which fails to give individuals effective means of redress, must be regarded as compromising the essence of European law.
This could provide ammunition for national DPAs to interpret the decision widely and refuse to allow reliance on the alternative mechanisms referred to above, on the basis that they cannot adequately protect against fundamental flaws in the US system. This is particularly likely in the case of SCCs, which explicitly allow DPAs to prohibit or suspend data transfers where they feel the law of the data importer contains requirements to derogate from data protection principles beyond those 'necessary in a democratic society'.
The extent of the decision, and the consequent ability to rely on alternative legal bases for transfers, will therefore depend on the political reaction from relevant bodies in Europe and the US. This is discussed in question 5 below.
Article 29 Working Party
The Article 29 Working Party, comprised of representatives of Member State DPAs, the European Data Protection Supervisor and the European Commission, issued a non-binding press release on the implications of the judgment on 16 October 2015. Although they stressed the need for a robust common position, the lack of clear, immediate, guidance as to next steps for organisations transferring data suggests a possible divergence of opinion amongst national authorities. The Article 29 Working Party stated that:
- the existence of mass, indiscriminate surveillance within the US underpins the Court's reasoning and is incompatible with the European legal framework. Existing tools for the transfer of personal data are not the solution to this issue;
- whilst DPAs continue to analyse the scope of the decision, SCCs and BCRs will remain a valid legal basis for EEA-US data transfers. This does not, however, remove individual DPAs’ ability to exercise their powers to protect individuals on a case-by-case basis;
- transfers that are made in reliance on Safe Harbor are, however, immediately unlawful and DPAs may take steps to reach out to companies known to rely on Safe Harbor; and
- there is a suggestion that a three-month 'grace period' for enforcement action may be recognised to allow for political solutions to be reached. However, the statement emphasises that this will not stop individual DPAs taking actions they consider necessary to protect individuals (for example, this could be refusing to authorise transfers or suspending data flows). If the Commission and US fail to reach agreement on a suitable replacement for Safe Harbor, and depending on the ongoing assessment of other transfer tools, European DPAs are committed to take appropriate steps, which may include coordinated enforcement action in respect of those who fail to implement alternative, valid methods of transfer.
Individual Data Protection Authorities
Some DPAs have stated they will be taking a measured approach to the judgment and will not seek to punish companies who diligently seek alternative transfer solutions, whereas others are more clearly envisioning a plan of enforcement.
UK: The UK's Information Commissioner's Office has stated, for example, that the decision does not affect the legitimacy of SCCs, BCRs, statutory exemptions and the data exporter's ability to 'self-assess' the adequacy of protection in non-EEA countries.
Czech Republic: The DPA (Úřad pro ochranu osobních údajů, UOOU) published its recommendations regarding EEA-US data transfers on its website on 22 October 2015. UOOU has also approached entities that had notified EEA-US data transfers under Safe Harbor with an informative letter including recommendations for further EEA-US transfers. UOOU has not specified any official grace period regarding EEA-US data transfers. UOOU concludes that:
- EEA-US data transfers based on Safe Harbor are now unlawful and the most suitable mechanisms for data transfers without the UOOU's authorization are SCCs and approved BCRs;
- regarding the SCCs, the controller/data exporter should always carefully consider the risks connected with the data transfer and examine whether the provisions and principles assumed under the SCCs will be fulfilled; the data exporter must use its best efforts to determine if the data importer is able to fulfil its obligations arising out of the SCCs; and
- should the EEA-US data transfer be carried out with the UOOU's authorization, i.e. under exemptions allowing data transfer (e.g. consent, sufficient specific guarantees in a third country, contract performance), it follows from principles of the European law that UOOU should apply such exemptions restrictively within the assessment of a particular application.
Denmark: The Danish data protection authority ("Datatilsynet") have made a statement regarding the consequences of the Safe Harbor ruling.
The Datatilsynet states that the authorisations given on Safe Harbor since 2000 will no longer be valid and future transfers based on Safe Harbor will be deemed illegal. They state that Danish businesses from now on will have to establish different grounds for transfers to the US and mention consent, Standard Contractual Clauses or Binding Corporate Rules as possible alternatives.
Lastly, the Datatilsynet also mention the ongoing work in the EU regarding the discussions on whether the Safe Harbor ruling has any consequences relating to the transfer of data to the US based on alternatives to Safe Harbor.
Finland: The Finnish Data Protection Ombudsman (DPO) has issued instructions on how to act due to the Court's decision. For instance, the DPO has guided companies and others transferring personal data to the US based on the Safe Harbor framework:
- to find out whether other lawful grounds can be applied to such transfer; and
- to inform data subjects of possible changes in data processing.
Germany: The Conference of German Data Protection Officers of the Federal Government and Federal States (DSK) has issued a 14 point statement on their collective stance following the decision. Notable aspects include the fact that:
- German DPAs will take active steps to stop any EEA-US data transfers which rely only on Safe Harbor;
- new authorisations for BCR covering US transfers will not be granted until the end of January 2016 at the earliest, even where the BCR have been applied for in another member state the same applies to such data export agreements that require an approval (which would be others than regular EU Model Clause based transfers); and
- the same applies to such data export agreements that require an approval (which would be others than regular EU Model Clause based transfers); and consent will only be sufficient to justify transfers in very limited circumstances.
Please see our bulletin on and translation of this position paper for more comprehensive guidance.
Hungary: The Hungarian DPA (NAIH) has not published any reaction on Safe Harbor since 6 October 2015. On this day they published a short one page document (in Hungarian, see here) which contains that local DPAs are entitled to investigate adequate level of protection, even if there is a valid Commission decision on this matter.
Italy: The Italian Data Protection Authority has immediately welcomed the CJEU decision, and on 22 October it issued a provision which repealed its decision dated 10 October 2001 that authorized the transfer of personal data from Italy to the U.S. on the basis of Safe Harbor. As a direct consequence, the Italian Data Protection Authority has explicitly prohibited any data transfer from Italy relying on Safe Harbor. In its decision of 22 October, the authority also pointed out that:
- organizations in Italy have to resort to other possibilities provided by the regulations on the protection of personal data. Awaiting the upcoming decisions to be taken at European level, companies can therefore lawfully transfer the data of Italian citizens only using instruments such as, for example, Standard Contractual Clauses or Binding Corporate Rules; also consent of data subjects can be a valid ground, provided that specific requirements are met;
- according to article 47 of the Charter of EU Fundamental rights, everyone whose rights and freedoms guaranteed by the law of the EU are violated has the right to an effective remedy before a tribunal; and
- The Italian Data Protection Authority reserves the right to make inspections and audits on the transfer at any time and, if necessary, also to adopt measures provided under the Italian Data Protection Code.
Portugal(Anselmo Vaz, Afra & Associados): The Portuguese DPA (CNPD) has confirmed that:
- existing authorisations granted for US transfers relying on Safe Harbor will be formally reviewed on a case-by-case basis. Organisations must immediately suspend such transfers;
- submissions for Safe Harbor based transfers will no longer be approved; and
- it will only issue 'provisional authorisations' for US transfers justified by alternative transfer mechanisms such as SCCs or private contracts. These authorisations will be subject to revision in the near future and could be revoked following further guidance by the Article 29 Working Party.
Poland: On 12 November the Polish Personal Data Protection Authority (GIODO) issued a statement regarding data transfers to third countries in light of the Schrems judgment. The key points are as follows:
- GIODO refers to the Statement of the Article 29 Working Party of 16 October 2015, where the Working Party indicated that together with US authorities they will seek to work out an appropriate solution to the Safe Harbor invalidation issue by the end of January 2016;
- by that time, i.e. 1 February 2016, in general GIODO will not initiate enforcement proceedings of the Schrems judgment on their own initiative. Only in the event that the Member States do not establish a common solution by that date, DPAs, including GIODO, will start to actively enforce the national laws in that respect;
- at the same time GIODO stressed that they will react to any complaints received prior to 1 February 2016. Keeping in mind the legal force of the Schrems judgment and the fact that CJEU did not decide to adjourn the effects of its judgment, formally, the transfer of data to the USA based on the Safe Harbor decision remains illegal.
Romania (NNDKP): The Romanian DPA has also issued formal guidance, which is broadly in line with the statement of the Article 29 Working Party. It states that:
- US data transfers based on Safe Harbor are now unlawful;
- other mechanisms of transfer such as SCCs, BCRs and consent remain valid legal bases for transatlantic transfers; and
- organisations that relied on Safe Harbor may only continue with EEA-US transfers where they implement these remaining valid legal bases. No transitional period is stated and the DPA has indicated informally that it will begin reaching out to those who have previously filed notifications on the basis of Safe Harbor. Organisations should be proactive in implementing alternative transfer solutions.
It will be essential to follow the statements and approach of the DPAs relevant to your organisation over the next weeks and months. Please see our bulletin recording the stance of European DPAs for more information.
Institutions of the European Union
- In a joint statement given by Frans Timmermans (First Vice President) and Commissioner Věra Jourová, the European Commission indicated that their priority is ensuring the continuation of transatlantic data flows, which they consider the backbone of the European economy. To this end, they have undertaken to intensify efforts to reach agreement with the US on a new 'Safe Harbor' framework that ensures adequate safeguards for individuals and stated that until this is struck, other accepted mechanisms for international transfers (see question 4) should remain a valid legal basis for transfer.
- The new President of the Court of Justice, Koen Lenaerts has stated that the decision is consciously not the same as previous guidance offered by Advocate General Bot (subject to previous Bird & Bird analysis here) as part of the European judicial process. While the focus of AG Bot's opinion was to criticise the broader state of US law and practice, Lenaerts emphasised that the Court did not, itself, make any comment on the state of US law. Instead, it represents a pure judgment on EU law. Although ambiguous, this could lend weight to any argument that the decision should only invalidate the Safe Harbor regime in a narrow sense, and not the alternative transfer mechanisms.
The decision has been greeted in the US with near universal criticism. Much commentary suggests it is flawed as being based on the state of US law at the time of the Snowden revelations in 2013, rather than that in 2015 when numerous remedial measures have been taken. These include:
- the introduction of the USA Freedom Act, signed into law by President Obama on 2 June 2015. Amongst other things, this bans the bulk collection of telephone records and Internet metadata, limits the government's data collection to the 'greatest extent reasonably practicable' (e.g. preventing bulk collection relating to particular service providers or geographical areas) and provides the government with more demanding reporting requirements to FISA authorities;
- the provisional 'umbrella agreement' reached in September 2015 between the EU and US designed to protect data exchanged for the purpose of law enforcement co-operation; and
- the US Judicial Redress Bill, passed by the House of Representatives on 20 October 2015 and now pending before the Senate, which will grant European citizens the right to obtain judicial redress and enforce rights before US courts if their data is incorrectly or unlawfully processed (e.g. unlawfully disclosed) by certain US government agencies.
Josh Earnest (White House Press Secretary) has said, for example, that the US government believes this decision was based on incorrect assumptions about data privacy protections in the United States. Numerous industry bodies also criticise the uncertainty created by the decision and its potentially negative impact on business within the digital economy. Please see our bulletin recording the initial reactions of a number of US governmental representatives, industry bodies and companies here.
Under European law, data is considered 'transferred' when it is either physically transferred to another country (i.e. to be stored in a data centre on that territory) or when a person residing in another country accesses the data from that country. It is therefore an extremely broad concept that may apply even if personal data is technically stored within the EEA.
Although the US Department of Commerce continues to administer the Safe Harbor program, the Article 29 Working Party unanimously agreed that transatlantic data transfers still occurring in reliance on the Safe Harbor regime are now unlawful.
While the likelihood of immediate enforcement action will depend on the stance of individual DPAs, organisations transferring data to the US on the basis of Safe Harbor should seek a swift and diligent transition to other mechanisms. Failure to make a conscious effort to address the privacy concerns highlighted in the judgment will only increase compliance risk.
Organisations must evaluate their relationships with service providers and processors to establish the legal basis that currently justifies their transatlantic data transfers. Where this was Safe Harbor, alternative arrangements should be implemented without delay to mitigate the current legal uncertainty.
Although BCRs and reliance on exemptions have been mentioned by the European Commission and certain DPAs as permissible alternatives in the short term, the use of SCCs with service providers and clients is likely to be the most appropriate course of action for many clients. Reasons for this include:
- the establishment of BCRs within a corporate group requires a somewhat lengthy process necessitating authorisation from multiple domestic DPAs; and
- national DPAs and judicial bodies have an obligation to interpret relevant exemptions to the general prohibition on non-EEA transfers narrowly. This makes reliance on them uncertain in many cases.
A number of US service providers are already offering customers and partners the opportunity to enter into 'data processing addendums' which purport to incorporate the Commission approved SCCs. Whilst these may provide an immediate 'quick fix' to transfer issues (subject to the ability of national DPAs to intervene on a case-by-case basis), such offerings should be considered carefully. This is because such a contract will be insufficient to justify non-EEA data transfers where changes have been made to the standard wording within the Commission approved clauses.
We would be happy to assist your business as you consider how best to ensure your transatlantic data flows continue uninterrupted with minimum legal risk.
'Unambiguous consent' is another basis upon which data can be transferred.
However, consent needs treating with some care. It can be withdrawn, for example, so should only be used where an organisation has a viable ‘plan B’. In addition, data protection authorities generally consider consent insufficient when given by employees because their subordinate position in relation to employers means it cannot be freely given.
Relevant bodies on both side of the Atlantic, including the Article 29 WP and European Commission, have urged the swift negotiation and agreement of an improved 'Safe Harbor 2.0'.
The Commission issued a statement on 26 October 2015 acknowledging agreement with the US 'in principle' but highlighting that issues remain as to how such commitments will be made binding enough to fully meet the Court's requirements. It remains to be seen how quickly this can be turned into a new data transfer mechanism, given the need to provide for US legislative action and scrutiny by various European bodies (including the Article 29 Working Party, the Commission and (most likely) the European Parliament).
The Swiss Data Protection Authority (FDPIC) has confirmed in a statement that until Switzerland negotiates a new framework with the US, the US-Swiss Safe Harbor regime no longer provides a valid legal basis for transatlantic data transfers. The FDPIC does not explicitly mention the prospect of enforcement action but calls upon businesses to adapt/implement contracts with US companies before the end of January 2016. They also commit to coordinating with other European DPAs to determine what other actions may be required to protect the fundamental rights of individuals.
The Israeli Data Protection Authority (ILITA) has also announced that, in light of the decision, the Safe Harbor regime can no longer provide a legal basis for transfers of personal data from Israel to the US. Organisations should implement alternative legal bases diligently, which are not affected. These include: (1) the consent of individuals; (2) where the transfer is from an Israeli parent company to a foreign subsidiary; or (3) where the data importer enters into an agreement with the data exporter to comply with Israeli data protection law. In addition, data exporters must always obtain a written undertaking from the data importer that they will implement sufficient safeguards to protect individuals’ privacy rights and refrain from any onward transfer in its own country or any other country.
Given the statements of the authorities above, and the likelihood that other non-EEA DPAs will take a similar stance, it would not be advisable to rely on any form of Safe Harbor framework, wherever the data is being transferred from.
Main Safe Harbor page >