Not So Safe: The ECJ Strikes Down U.S.-EU Safe Harbor

The Safe Harbor Framework governing transfer of personal information from the European Union to the United States is no more. On October 6, 2015, the European Court of Justice (ECJ) struck down the vaunted bilateral data protection and transfer agreement, impacting over 4,700 companies that relied on the Safe Harbor for transporting and storing European data overseas. The decision, which took effect immediately and left no grace period for international organizations to make alternative arrangements, vigorously reinforces European legal protections for data privacy while leaving a broad swath of data-related commercial activity on tenuous legal ground.

Background On Safe Harbor

The Safe Harbor agreement, developed by the European Commission in collaboration with the U.S Department of Commerce, had been in effect since 2000. It allowed U.S. companies eager to get their hands on valuable European personal data to “self-certify” as compliant with EU standards on data protection. The ECJ criticized the Safe Harbor framework for its failure to adhere to the standards set out in the EU’s Data Retention Directive, claiming that the European Commission cannot limit the rights and powers granted by the Directive. Among other things, the Framework’s lack of legal redress for European consumers attempting to access, rectify or erase personal data “compromises the essence of the fundamental right to effective judicial protection," as the court wrote.

Practical Implications of the Decision

What happens now? The ECJ’s decision was effective immediately. This means that companies that handle European personal data, even those previously certified under the Safe Harbor, will have to find other legal grounds for continuing their activities, and will likely need to restructure procedures surrounding European data flow. The decision renders each company subject to audit and oversight by supervisory agencies in each of the twenty-eight EU member states, which could pose a variety of difficulties. For organizations scrambling to pick up the pieces, there are some options on the table:

• Anonymize personal data prior to transfer out of the EU. Stripping such data of personal identifiers will avoid triggering privacy stipulations contained in the EU Privacy Directive.
• Halt all collection and transfer of EU personal data until a new framework is in place. The expectation is that a new General Data Protection Regulation (GDPR) will go into effect in 2016, and companies will have 2 years to come into compliance. Businesses are encouraged to prepare themselves for the GDPR right away.
• Comply directly with the EU Privacy Directive by adopting Binding Corporate Rules and Model Contracts. Binding Corporate Rules (or BCRs) amount to an internal code of conduct governing personal data transfer for multinationals. Once certified, companies can transfer data to any entity within the scope of the BCR without having to draft contracts for each single transfer. Model Contracts function as a de facto declaration that a contracted transfer provides adequate safeguards. The European Commission has provided a set of pre-drafted contractual clauses for use by multinationals looking to get a stamp of approval for data transfers from national data protection agencies.

For all its potential complications, the ECJ’s decision marks a strident defense of personal privacy in the digital age by a major judicial body. The full ramifications of such a stand remain to be seen.

For more information on the legal implications of the ECJ’s ruling, and to develop an international data privacy compliance strategy, contact us.

DISCLAIMER: The information in this article is provided for informational purposes only and should not be construed or relied upon as legal advice. This article may constitute attorney advertising under applicable state laws.