This past Tuesday, in the groundbreaking decision of Schrems vs. Data Protection Commissioner (C-362/14), the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor provision of the EU Commission, 2000/560C/EC. The Safe Harbor program was the easiest method for U.S. companies to comply with EU data protection laws, which require personal data only to be exported when it will retain a comparable level of privacy protection as it has in the EU.
To ensure this similar level of privacy in other countries, the EU uses an “adequacy” test that evaluates all of the circumstances surrounding a proposed transfer of personal data, including the nature of the data, the purpose of the transfer, the security measures in place, and the laws in that country. The Safe Harbor agreement allowed the U.S. to pass the “adequacy” test, but Edward Snowden’s revelations about alleged mass surveillance of EU citizens’ personal data by US intelligence services provoked a challenge to, and subsequent invalidation of, Safe Harbor.
Over 4,000 U.S. companies have been certified under the Safe Harbor program and each of these companies will now need to look to alternative methods to legally transfer data from the EU. The European Commission stated on Tuesday that they “will come forward with clear guidance for national protection data authorities on how to deal with data transfer requests to the U.S., in light of the ruling.” While we await these guidelines, however, companies can begin looking at other options that already exist, including the Model Contractual Clauses for companies exchanging data across the Atlantic and the Binding Corporate Rules for transfers within a corporate group.
Additionally, the Data Protection Directive contains derogations under which data can be transferred, including on the basis of performance of a contract, important public interest grounds, the vital interest of the data subject, or the free and informed consent of the individual. These derogations are often less permissive than they appear, due to narrow interpretations given by the EU Article 29 Working Party and the data protection authorities, so companies will need to work with counsel to formulate their best options.
The U.S. and the EU have been negotiating a new safe harbor agreement for the past two years, but, as of now, it is unknown when they might reach a final agreement. In the meantime, the invalidation of Safe Harbor may have taken the easiest path away for European data transfers, but there are still multiple options available and we are available to help guide you through the choices.