October 7, 2015

Batten Down The Hatches: The US-EU Data Protection Safe Harbor Framework Invalidated

Arnold & Porter Advisory

On October 6, 2015, the Court of Justice of the European Union (CJEU) issued a decision that invalidates the US-EU Data Protection Safe Harbor Framework (Safe Harbor Framework) as it is currently formulated. The decision casts doubt on the authority of the EU Commission, which officially approved the Safe Harbor Framework in 2000, to determine on a pan-EU basis whether such a framework affords the level of data protection required by the European Parliament's directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Directive). 

The CJEU decision is a radical upset to the day-to-day operations of thousands of companies involved in the movement of significant amounts of personal data across transatlantic borders. The decision will also impact the conduct of internal investigations by US multinational companies that have operations in the EU that have relied on the safe harbor to move data from the EU to the United States for review as part of the investigation. 

The Safe Harbor Framework has been in operation for more than 15 years and more than 4,000 US-based businesses rely on it for receiving transfers of personal data from the EU. These companies and the EU-based entities with which they cooperate must now assess whether these transfers can continue without violating the Directive, and what new steps may be necessary to ensure compliance. The Directive has already led to a patchwork of privacy legislation across the 28 member states of the EU, and the CJEU's new judgment arguably further undermines commercial confidence in the ability to practically comply with that legislative regime.

Background on the Directive and the Safe Harbor Framework

The Directive, which became effective in October 1998 and has been implemented in various forms through legislation of the EU member states, provides that "the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if . . . the third country in question ensures an adequate level of protection." The Directive also provides a mechanism whereby the EU Commission can enter into negotiations with a third country to remedy any concerns regarding the level of protection that will be afforded in such country, and to base a conclusion that the third country provides "adequate" protection based on the outcome of such negotiations.

Through such negotiations, the US Department of Commerce and EU Commission developed the Safe Harbor Framework, which established principles and guidelines under which the transfer of personal data from the EU would be deemed consistent with the Directive. Under the Framework, such transfers are permissible if made to US-based organizations that have certified their adherence to data protection principles comparable to those established by the Directive.1 On July 26, 2000, the EU Commission formally approved the Safe Harbor Framework, declaring that adherence to the Framework ensured an adequate level of protection in the United States for data transferred from the EU to be in compliance with the Directive.2 On the basis of the Commission's approval, many companies opted to rely on the Framework as the legal grounds for systematically transferring personal data from the EU to the United States. 

In the continued wake of Edward Snowden's 2013 allegations concerning US government surveillance practices, the operation of the Safe Harbor Framework has been increasingly put under the spotlight. In late 2013, the EU Commission issued thirteen recommendations needed to improve the Safe Harbor Framework and "restore trust in data flows between the EU and the U.S."3 These recommendations included changes to data protection transparency and enforcement practices, opportunities for "redress" of alleged Framework violations, and limitations on when US authorities may use a national security exception in compliance with the Framework.4 Last year, the EU Parliament also called for the "immediate suspension" of the  Framework, threatening trade action if reforms were not made.5 In response, the US government has proactively sought to negotiate a revised Framework, and those negotiations will likely be accelerated in the wake of the new CJEU decision.   

The CJEU Decision

While the post-Snowden-leaks challenges to the Framework had cast some degree of doubt over its continued viability, the CJEU's new ruling represents an immediate threat to US-based companies' ability to receive personal data from the EU consistent with the Directive.

The facts giving rise to the CJEU decision involved a Facebook user, Maximillian Schrems. Mr. Schrems (an Austrian national) brought a complaint to the Irish DPA regarding Facebook's transfer of some or all of his data in his Facebook account, from Facebook's EU-based servers in Ireland to its servers located in the US, reciting (the now largely debunked) Snowden allegations that the NSA had "obtained unrestricted access to mass data stored on servers in the United States owned or controlled by" Facebook.6 

The national supervisory authority for data protection (DPA) for Ireland dismissed the complaint, finding that it had no basis to even evaluate Mr. Schrems's concerns because it was bound by the EU Commission Decision, whereby Facebook's adherence to the Framework meant Facebook had provided an adequate level of protection as required under the Directive for any Ireland-to-United States transfers of Mr. Schrems's personal data. Mr. Schrems took the issue to the Irish High Court, which in turn asked the CJEU to decide whether the Irish DPA was permitted to conduct an investigation into Facebook's practices to ensure there was an adequate level of protection as required under the Directive (i.e., whether the Irish DPA had to defer to the EU Commission's approval of the Framework).

On September 23, 2015, Advocate General Bot issued a non-binding opinion finding that any individual DPA is not precluded from considering adequacy, notwithstanding the EU Commission approval of the Framework. The Advocate General further stated that "the law and practice of the United States allow the large-scale collection of the personal data of citizens of the Union which is transferred under the safe [harbor] scheme, without those citizens benefiting from effective judicial protection" and that, therefore, the current Safe Harbor Framework is invalid.

The CJEU largely adopted the Advocate General's opinion.

First, the CJEU invalidated the EU Commission's decision that the Framework was adequate. The court found the Framework fails to prevent the US government from access systematically, on a generalized basis, without any differentiation, limitation, or exception being made, to personal data held by private entities in the United States, without providing sufficient processes to protect an individual's privacy and provide them with redress.

The CJEU noted that the Safe Harbor Framework applies only to entities in the US that adhere to it and not to "United States public authorities." The CJEU also noted that, under the EU Commission's decision approving the Framework, "'national security, public interest, or law enforcement requirements' have primacy over the safe [harbor] principles" such that US-based entities with data transferred from the EU to them "are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them." According to the CJEU, "[U.S.] public authorities . . . have access on a generalised basis to the content of electronic communications" and that these authorities "must be regarded as compromising the essence of the fundamental right to respect for private life." The CJEU drew specific attention to the fact that the EU Commission itself had determined that an adequate level of protection cannot be assured where national security, public interest, and law enforcement effectively override the Framework. 

On the issue of redress, the CJEU found that the inability of an individual whose data has been transferred to the United States pursuant to the Framework to seek legal remedies in order to have access to their data, or to "obtain the rectification or erasure of such data," is a violation of the fundamental right to effective judicial protection. (The Obama Administration has publicly discussed providing alternative dispute resolution mechanisms as remedies for non-US persons, akin to the remedies available to US persons under similar circumstances, and such remedies may be afforded under the anticipated new Framework.) 

On these grounds, the CJEU concluded that the EU Commission decision approving the Framework is invalid.

Second, in perhaps a more significant development in the long run, as part of its reasoning the CJEU held that "the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities." In other words, DPAs are required to assess independently the Charter of Fundamental Rights of the EU and compliance with the Directive, and an EU Commission decision does not prevent a DPA's continuing oversight of transfers of personal data to third countries.

This may effectively transform the ongoing negotiations between the EU Commission and the US government over a revised Framework into a multilateral discussion, involving closer dialogue with each EU member state's DPA. If now or in the future a DPA determines that any Safe Harbor Framework is not sufficient, ultimately a DPA can seek to question it through the CJEU (albeit the CJEU confirmed that it alone has the task of deciding whether or not any EU Commission decision is valid).

What Does This Mean For Businesses?

Fundamentally, the CJEU's judgment undermines the core concept of "safe harbor" as embodied in the Framework. It underscores the need for US companies-and the US government-to engage in the public dialogue necessary to build trust across the Atlantic and to clarify the meaning and application of US law to US law enforcement and intelligence activities.

As an immediate practical matter, the CJEU judgment does not prohibit transfers of personal data from the EU to the United States. But it does preclude reliance on the Framework as the legal basis to make   such transfers consistent with the Directive. Therefore, businesses that relied on the Safe Harbor to legitimize those transfers will need to re-assess their options for compliance with the Directive. There are several alternatives to the Safe Harbor, including use of the so-called "model contractual clauses" or Binding Corporate Rules (BCRs), which are assessed and approved on an individual DPA basis. Both of these mechanisms have their benefits, but also certain downsides. For example, BCRs can take at least twelve months for some DPAs to process and approve, so model clauses may be a viable short-term solution, subject to their limitations.

The EU Commission has publicly indicated that it is planning to release "clear guidance" for DPAs in the wake of the ruling, but guidance coordinated with the DPAs would be more helpful as the CJEU's decision has undermined the EU Commission's ability to speak authoritatively on this issue. Meanwhile, many of the DPAs have announced publically that they are taking time to consider fully the implications of the CJEU judgment. Businesses should do the same, but should not delay in taking steps to address how to best deal with EU-to-US transfers of personal data in accordance with the Directive without reliance on the Safe Harbor.

Subscribe Link

Email Disclaimer