This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy



The Safe Harbor ruling Ė Coping with the current uncertainties

In the aftermath of the Court of Justice of the European Union’s (‘CJEU’) ruling of 6 October, many commentators and some European regulators have called for the end of EU/US data transfers, arguing that the CJEU has stated that massive surveillance conducted by US intelligence would interfere with EU fundamental rights and that there would be no viable alternatives to the EU/US Safe Harbor Program which would permit data transfers to the US. Only yesterday (26 October), the German data protection supervisory authorities published a common note in which they stated that they would immediately start enforcement actions should they become aware of Safe Harbor-based data transfers. In this article Dr. Christian Schröder, Partner and Head of Orrick Germany’s IP/IT and Data Privacy Practice and Kolvin Stone, Partner and Global Co-Chair of Orrick’s Cybersecurity and Data Privacy Group, aim to help companies understand the current situation and to distinguish political views from what the CJEU actually said and where the repercussions of the ruling will likely be felt. Christian and Kolvin will try to address these issues by responding to the following questions which, from their experience, companies are currently most concerned about: (1) What did the CJEU say?; (2) Can one continue to rely on the EU/US Safe Harbor Program until further guidance is issued?; (3) Are there other viable options for data transfers to the US?; and (4) What should companies do until clear guidance is given from supervisory authorities?

1. What did the CJEU say? 

The Irish High Court had asked the CJEU to rule on whether: (i) the EU/US Safe Harbor Program has the effect of preventing national data protection authorities from investigating a complaint alleging that a country outside of the EEA does not ensure an adequate level of protection; or (ii) whether in fact, national data protection authorities must conduct their own investigation into the adequacy of Safe Harbor in the light of factual developments that have occurred since the European Commission's Safe Harbor decision was first published.

In reviewing the questions, the CJEU found that the EU/US Safe Harbor scheme did not prevent national data protection regulators from reviewing the adequacy of the protection afforded to data transferred under the scheme. Further, the CJEU determined that national data protection authorities should, following a claim, conduct their own investigations as to whether transfers subject to a European Commission decision comply with the EU Data Protection Directive's (95/46/EC) (the ‘Directive’) requirements. If the authority has doubts regarding the validity of the decision it may then challenge the European Commission's decision before court. However, it is only the CJEU that can declare a decision of the European Commission invalid.

In this instance, the CJEU took the opportunity for review presented to it by the Schrems case and declared the European Commission's decision on Safe Harbor to be invalid on the basis that (i) the Commission did not state that the US in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments as required by the procedural rules for making the Decision, and (ii) the Commission exceeded its powers in denying national supervisory authorities the right to investigate transfers pursuant to Safe Harbor. Due to the invalidity, the CJEU asked the Irish national data protection regulator to investigate with due diligence and to consider suspending the data transfer to the US. Following this ruling, the Irish High Court ordered the Irish Data Protection Commissioner (‘DPC’) on 20 October to investigate Facebook’s European data privacy practices. 

The CJEU did not decide on the validity of US intelligence access to EU customer data nor did it state that from, now on, there would be no other viable option to transfer personal data to the US. However, the CJEU raised the following concerns regarding the EU/US Safe Harbor Program which are not entirely limited to data transfers based on the EU/US Safe Harbor Program: (i) public authorities in the US (including law enforcement) are not subject to Safe Harbor; (ii) national security, public interest and law enforcement requirements of the US prevail over Safe Harbor and require US companies to disregard the protective rules of the scheme where conflict arises; (iii) there are limited means of redress for data subjects in relation to the use of their personal data by law enforcement; and (iv) processing of personal data transferred to the US occurred for purposes that are incompatible with the purpose it was originally collected for and which go beyond what is strictly necessary and proportionate for the protection of national security. In addition, the CJEU decided that personal data originating from the EU must also be protected in the country of receipt by a level of data protection that may not be identical but effectively equivalent to that within the EU. This is a rather high threshold for the ongoing negotiations between the European Commission and the US on an update of the EU/US Safe Harbor Program. 

Further, the CJEU made general comments on the reconcilability of certain hypothetical data access/process operations with the requirements arising under the fundamental rights granted under Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union. For example, the CJEU argues that “legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter.” It also states: “Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter.” Even though not explicitly referred to, such statements have been widely understood as targeting the US Patriot Act and other intelligence access permissions, which grant US intelligence widescale access to, for example, communication data without - so far - granting European individuals the ability to seek individual legal recourse. 

For these reasons, many regulators are currently considering the viability of other data transfer mechanisms.  

2. Can one continue to rely on the EU/US Safe Harbor Program until further guidance is issued? 

The CJEU ruled on the invalidity of the European Commission’s decision 2000/520/EC which provided that EU data would find adequate protection in the US if US companies signed up and were in compliance with the EU/US Safe Harbor Program. In addition, it called on national supervisory authorities to investigate and, if required, suspend data transfers. The CJEU, however, did not declare any data transfer that is based on the EU/US Safe Harbor Program to be invalid. This does not, however, provide much comfort for companies. Under the Directive, data transfers to entities located outside the EU must in general be either going into countries which are considered to provide an adequate data protection standard or they must be safeguarded by other means. As the European Commission’s Safe Harbor decision is no longer valid, no company should continue to rely on the EU/US Safe Harbor Program. In its press release of 6 October, the European Commission did not recommend that companies wait until further guidance be issued. Further, in its statement published on 16 October, the Article 29 Working Party (an advisory body to the European Commission consisting of representatives of the national data protection supervisory authorities) stated that data protection authorities considered that certain alternative means could continue to be used only until the end of January 2016. On 26 October, the German data protection supervisory authorities published a common note in which they stated that they would immediately start enforcement actions should they become aware of Safe Harbor-based data transfers. Alternatively, the UK’s Information Commissioner can be understood to be granting companies some time to review how they will ensure that data transferred to the US is transferred in line with the law before enforcement actions will be taken. 

3. Are there other viable options for data transfers to the US? 

This is likely the most controversial question at the current point in time and one can currently by no means predict with any certainty how this will play out in the coming months. However, in our view, companies should be aware that, depending on the nature of the data and the processing purposes, there are, until the CJEU decides otherwise, valid legal options. There are also sound legal arguments in support of these options. 

As mentioned above, the Directive provides for various means to permit a transfer of personal data to entities located outside of the EU to countries that are not considered as providing an adequate (equivalent) data protection standard. Some are mere exceptions to the general requirement of providing an equivalent data protection standard; see Article 26, paragraph 1 of the Directive. For example, companies are permitted to transfer data to countries outside the EU for legal defence or for the protection of the vital interests of the data subject. Other exceptions are to obtain unambiguous consent from the data subject or when the data transfer is necessary for the performance of a contract. These exceptions are, however, in general seen as being limited to individual transfer situations and should not be used to legitimise continued data transfers as a matter of course. 

Apart from these exceptions, Article 26, paragraph 2 of the Directive provides that EU Member States may authorise sets of transfers to countries not providing an adequate data protection standard where the data exporter implements adequate safeguards with respect to the protection of the privacy and fundamental rights which may, in particular, result from appropriate contractual clauses. Based on this permission, the European Commission adopted so-called EU Model Clauses or EU Standard Contractual Clauses which, in the European Commission’s view, provide for an adequate safeguard within the meaning of Article 26, paragraph 2 of the Directive. In addition, the Article 29 Working Party also considered Binding Corporate Rules (a set of corporate rules which are approved by EU data protection authorities) as providing such an adequate safeguard. 

In its press release of 6 October, the European Commission explicitly referred to these alternative means. Also, the Article 29 Working Party stated in its opinion issued on 16 October that until the end of January 2016, data protection authorities would consider that Standard Contractual Clauses and Binding Corporate Rules could still be used. 

However, with a view to the statements of the CJEU on the permissibility of unrestricted access to communication data for national security purposes and without legal recourse, some legal scholars and apparently also the supervisory authorities of the States of Bremen, Hamburg and Schleswig Holstein in Germany take the view that any data transfers to the US are currently challengeable. In addition, on 26 October, the German data protection supervisory authorities issued a common position according to which they may also investigate data transfers which are based on EU Model Clauses and assess whether the CJEU’s reasoning as outlined under question number 1 above would require further action. The German data protection supervisory authorities further declared that they would no longer approve data transfers based on Binding Corporate Rules or based on ad-hoc agreements. As such, there is considerable uncertainty surrounding the question of whether other viable means exist. 

Apart from the fact that companies often do not have any alternatives to a transfer of personal data, the critical view taken by some regulators and scholars should not be considered as a given. As outlined under question number 1, the CJEU did not decide on the general validity of data transfers to the US but was deciding on the validity of the Safe Harbor Decision pursuant to Article 25 of the Directive. In particular, Standard Contractual Clause are made pursuant to Article 26. The CJEU’s reference to US law was more general and did not decide on whether or not any existing US laws conflict with EU data privacy law. The President of the European Court of Justice, Koen Lenaerts, explicitly confirmed this view in an interview given to the Wall Street Journal published on 14 October. The CJEU, however, published its view according to which mass access to communication data in general without legal redress would be incompatible with Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union. 

Accordingly, companies should carefully consider these statements where such massive access without legal recourse is likely to apply. According to the CJEU’s comments, this could be the case for communication data. The CJEU did not address other data. There is also no general information in the news that would give rise to concern that US intelligence would, in practice, have massive access to other individual data, for example, employee data. Finally, EU Model Clauses were confirmed to provide for adequate safeguards by the European Commission. If these EU Model Clauses for data transfers to the US were to be challenged in general, it would be questionable whether individual supervisory authorities have the authority to pursue this issue or whether they would have to seek a legal clarification from the CJEU.

4. What should companies do until clear guidance is given from supervisory authorities? 

US-based cloud service providers, data analytics providers, data storage providers, social networks and a range of other businesses that have built their data transfer models based on the EU/US Safe Harbor Program should quickly implement new solutions. EU customers using US-based services or working with US partners should also consider on what grounds they can legitimately transfer personal data to the US. Internal group transfers from EU group entities to US group entities based on the EU/US Safe Harbor Program will also need to be reviewed. 

For many, putting in place EU Model Clause Contracts (a set of EU approved clauses for data transfers) is the only immediately viable option. However, it has to be recognised that despite there being solid legal arguments as to the validity of Standard Contractual Clauses, there is growing uncertainty as to whether these Clauses can form the basis of a lawful transfer to the US.  

Whilst intra-group agreements or Binding Corporate Rules can offer more scalable solutions that do not require a new contract to be entered into for each new data transfer, it may be sensible to wait before embarking on cost-extensive solutions and instead rely on the other options for the time being until further regulatory guidance is given.

Dr. Christian Schröder Partner and Head of Germany’s IP/IT and Data Privacy Practice

Kolvin Stone Partner and Global Co-Chair of Cybersecurity and Data Privacy Group

Orrick, Düsseldorf and London

cschroeder@orrick.com

kstone@orrick.com

 

To request a complimentary copy of any or our publications including E-Commerce Law & Policy, Data Protection Law & Policy and Cyber Security Law & Practice please email sara.jafari@e-comlaw.com

Alternatively take a 7 day free trial of any of our publications here to access the entire latest issue. 

 




Search Journal Archives



Our publication archives contain all of our articles, dating back to 1999.
Canít find what you are looking for?
Try an Advanced Search

Log in to E-Commerce Law & Policy
Subscribe to E-Commerce Law & Policy
Register for a Free Trial to E-Commerce Law & Policy
E-Law Alerts
E-Commerce Law & Policy Pricing

Social Media

Follow E-Commerce Law & Policy on TwitterE-Commerce Law & Policy on LinkedInE-Commerce Law & Policy RSS Feed