European High Court Invalidates Safe Harbor for Transfer of Personal Data
On October 6, 2015, the European Court of Justice — the highest court in Europe — invalidated an international privacy agreement between the United States and the European Union, known as the US-EU Safe Harbor. The US-EU Safe Harbor allowed companies engaged in international business activities to transfer personal data from the European Union to the U.S. in compliance with the European Union Data Protection Directive (“EU Data Directive”). Although all is not lost for companies that wish to transfer personal data from the European Union to the U.S., many view the European Court of Justice's decision as a blow to companies seeking an inexpensive and efficient way to comply with the EU Data Directive.
Background of Safe Harbor
In short, the EU Data Directive prohibits the transfer of personal data outside of the European Union unless the laws of the country to which the personal data is being sent are deemed “adequate” under the laws of the European Union. The data privacy and security laws of the U.S. have not been deemed “adequate” by the European Union. Consequently, to be compliant with the EU Data Directive, companies have to undertake certain measures in order to transfer personal data from the European Union to the U.S.
Safe Harbor Invalidated Because of Conflict with EU Law
The European Court of Justice struck down the US-EU Safe Harbor because of the broad discretion held by U.S. governmental agencies to access personal data (such as the U.S. National Security Agency's PRISM mass surveillance program revealed by Edward Snowden), which was viewed to be in conflict with European Union law that provides for access to personal data only when strictly necessary. In light of the decision by the European Court of Justice, U.S. companies must now follow one of the alternative legal mechanisms for transferring personal data from the European Union to the U.S.
Moving Forward Without the Safe Harbor
Among the remaining alternatives for lawfully transferring personal data are (a) “model clauses”; and (b) “binding corporate rules” (“BCRs”). Each of these is a contract-based exception, which appear simple at first glance. However, companies may be required to make filings with, and receive approval from, each European country from which personal data is transferred. BCRs also require comprehensive data protection audits.
Safe Harbor 2.0?
In the aftermath of the European Court of Justice's decision, U.S. and European Union authorities will presumably continue to negotiate a new “safe harbor” agreement. It remains to be seen whether, or how, such an agreement will address the concerns expressed by the European Court of Justice.