EU’s Highest Court Declares the US-EU Safe Harbor Agreement for Data Sharing “Inadequate”
Today the European Court of Justice (ECJ), the European Union’s highest court, struck down the US-EU data transfer “Safe Harbor” agreement in a case relating to a Facebook user’s complaint alleging a breach of his data privacy rights in the wake of the Edward Snowden leaks. In 2000, the European Commission approved the adequacy of the privacy protections in the current US-EU “Safe Harbor” agreement but the ECJ rejected the Commission’s approval and found that the agreement fails to protect the privacy right of EU citizens for two primary reasons: (i) it permits US national security and law enforcement interests to override the privacy right of EU citizens and (ii) it fails to provide a means for US judicial redress or a means for EU data protection authorities to hear challenges to data transfers to third countries.
As a result, the ECJ’s decision not only removed the existing “Safe Harbor” protections for the transfer of data from the EU to the US but also opened the door to data privacy proceedings by holding that EU citizens have the right file complaints with data privacy authorities in individual member states seeking administrative redress for the unauthorized transfer of private data. The ECJ also did not provide for a grace period for companies to establish new mechanisms of data transfer before the rejected “Safe Harbor” agreement ceases to be valid. Until EU and US officials complete ongoing negotiations on a revised and updated “Safe Harbor” Agreement, there is no “Safe Harbor” for EU data bound for the US.
The ripple effects of this decision are immediate and potentially costly. As it stands, both EU and US companies must find other legal means to transfer data from the EU to the US and, while the European Commission provides alternative approved data transfer mechanisms, designing and implementing these mechanisms will take time and resources. For example, in many European countries, alternative data transfer mechanisms such as the use of binding corporate rules for the electronic transfer of data or the insertion of ‘model clauses’ into third-party agreements, requires the prior approval of national data protection agencies which have historically suffered from long response times.
As companies on both sides of the ocean scramble to respond to the ECJ’s decision, it bears stating the obvious – data that does not absolutely have to transfer to the US should stay in the EU. For EU data that must transfer to the US, companies need to quickly implement and approve alternative data transfer mechanisms. Prospectively, companies should evaluate if data privacy waivers for employees or customers or segregated EU-only data clouds could be deployed to minimize the operational impact of data privacy regulations. And finally, to the extent that companies are aware of current complaints relating to their transfer of private data out of the EU, those complaints should be proactively addressed before the individuals turn to local data protection agencies for redress.