European High Court Invalidates Safe Harbor for Transfer of Personal Data

Date: October 6, 2015
On October 6, 2015, the European Court of Justice — the highest court in Europe — invalidated an international privacy agreement between the United States and the European Union, known as the US-EU Safe Harbor.  The US-EU Safe Harbor allowed companies engaged in international business activities to transfer personal data from the European Union to the U.S. in compliance with the European Union Data Protection Directive (“EU Data Directive”).  Although all is not lost for companies that wish to transfer personal data from the European Union to the U.S., many view the European Court of Justice's decision as a blow to companies seeking an inexpensive and efficient way to comply with the EU Data Directive.

Background of Safe Harbor

In short, the EU Data Directive prohibits the transfer of personal data outside of the European Union unless the laws of the country to which the personal data is being sent are deemed “adequate” under the laws of the European Union.  The data privacy and security laws of the U.S. have not been deemed “adequate” by the European Union.  Consequently, to be compliant with the EU Data Directive, companies have to undertake certain measures in order to transfer personal data from the European Union to the U.S. 

Among several alternatives, U.S. companies could rely on the US-EU Safe Harbor — the agreement between the U.S. and the European Union that was invalidated on October 6, 2015, by the European Court of Justice.  The US-EU Safe Harbor was a self-regulatory regime that did not require government approval.  A company could qualify for the US-EU Safe Harbor by: (a) adopting and posting a privacy policy that complies with the principles of the US-EU Safe Harbor; (b) self-certifying to the U.S. Department of Commerce that it adheres to the US-EU Safe Harbor principles; (c) making a public declaration of this adherence; and (d) annually self-verifying compliance with the US-EU Safe Harbor.  As a protective and enforcement measure, companies relying on the US-EU Safe Harbor were required to be subject to either an independent, third party privacy enforcement mechanism, or the European Union data protection authorities.

Safe Harbor Invalidated Because of Conflict with EU Law

The European Court of Justice struck down the US-EU Safe Harbor because of the broad discretion held by U.S. governmental agencies to access personal data (such as the U.S. National Security Agency's PRISM mass surveillance program revealed by Edward Snowden), which was viewed to be in conflict with European Union law that provides for access to personal data only when strictly necessary.  In light of the decision by the European Court of Justice, U.S. companies must now follow one of the alternative legal mechanisms for transferring personal data from the European Union to the U.S.

Moving Forward Without the Safe Harbor

Among the remaining alternatives for lawfully transferring personal data are (a) “model clauses”; and (b) “binding corporate rules” (“BCRs”). Each of these is a contract-based exception, which appear simple at first glance.  However, companies may be required to make filings with, and receive approval from, each European country from which personal data is transferred.  BCRs also require comprehensive data protection audits.

Safe Harbor 2.0?

In the aftermath of the European Court of Justice's decision, U.S. and European Union authorities will presumably continue to negotiate a new “safe harbor” agreement.  It remains to be seen whether, or how, such an agreement will address the concerns expressed by the European Court of Justice.