• home
• about us
• what we do
  • business clients
    • summary
    • contracts
      • technology
      • outsourcing
      • commercial
      • end-to-end deal support
      • post-signature assistance
    • e-commerce
    • data protection
    • risk audits and due diligence
    • training
  • public sector
    • summary
    • procurement compliance
    • contracts
      • ICT
      • outsourcing
      • supply
      • end-to-end procurement support
      • post-signature assistance
    • data protection and FOI
    • risk audits and due diligence
    • training
• our lawyers
  • summary
  • Paul Golding
  • Tracey Tarrant
• who we act for
  • summary
  • SMEs
  • nationals/multi-nationals
  • overseas companies
  • public sector
  • in-house lawyers
  • law firms
  • our clients
  • what others say
• our fees
• legal updates
• contact us

TRG law

law simplified

European Court ruling that ‘Safe Harbor’ is invalid

The Court of Justice of the EU ("CJEU") declared on 6^th October 2015 that the ‘Safe Harbor’ scheme that governs the transfer of European data to the US is invalid, effective immediately. This decision will affect businesses who transfer EU data to US companies which are certified under the Safe Harbor scheme, including companies that outsource data processing of EU data to the States, who may now need to revisit their data security measures.

See our latest article on the EU-US Privacy Shield regarding the new framework for transatlantic data flows to replace Safe Harbor.

What is ‘Safe Harbor’?

• The 'Safe Harbor' scheme was developed in 2000 and approved by the European Commission (EC) as a way for US companies to act as data processors on behalf of companies who transfer data from Europe without breaking EU data protection laws.
• European data protection legislation requires that personal data is only transferred outside the EEA to countries which provide ‘adequate’ protection for personal data. The US is not considered to provide such protection under its own laws so personal data from the EU could not be legally transferred to the US. Under Safe Harbor, US companies could self-certify that they are carrying out the required steps to provide the level of data protection necessary to comply with the relevant EU laws. It has since been widely adopted by several thousand US organisations to facilitate transfers of personal data from the EU to the States.

How did the new ruling come about?

• The ruling is the outcome of the recent case of Maximillian Schrems v Data Protection Commissioner [2015]. Schrems, an Austrian student, made a complaint to the Irish Data Protection Commission regarding the transfer of his personal data from Facebook’s Irish subsidiary to servers located in the US where it was processed. His argument was that European data stored by companies in the US certified under the Safe Harbor scheme did not offer sufficient protection against surveillance that would be illegal in the EU.
• The Irish Data Protection Commissioner did not investigate Schrems’ complaint because the EC had declared in 2000 that Safe Harbor was a legitimate and compliant way of transferring personal data to the US. Schrems contested the decision and the matter was referred to the CJEU.

What did the CJEU say?

The CJEU held that the EC’s decision in 2000 regarding Safe Harbor was invalid for the following reasons:

• Safe Harbor enables interference by US public authorities (who are not bound by Safe Harbor) with the fundamental rights of EU citizens which is not limited to what is strictly necessary, as (it is alleged) US law authorises the mass surveillance of personal data without any limitation or exception being made to take account of the objective being pursued. The US authorities deny this.
• Under Safe Harbor, there is a lack of legal remedies in relation to use of individuals’ personal data which restricts their fundamental right to effective judicial protection.
• The EC’s decision regarding Safe Harbor should not eliminate or reduce the powers of the national data protection authorities who must be able to examine with complete independence whether the transfer of personal data out of the EEA complies with EU law.

What are the implications of the CJEU’s ruling?

• This ruling will affect any business that relies on Safe Harbor for the transfer of personal data to the US for processing in relation to its users, customers and/or employees.
• Such companies may find that despite having thought they were compliant with EU data protection laws by virtue of their self-certification, they may now be falling short of those laws. The risk of being subject to the enforcement measures of the national EU data protection authorities has potentially increased.
• Like Schrems, individuals may challenge how their data is being protected if sent to the US and European customers may also raise concerns about the level of protection of their data and request amendments to existing contracts or other assurances. Data protection issues in contractual negotiations are now likely to be more complex and US data processors may have to take more time and effort to ensure compliance with EU legislation.
• Those affected may in fact still be compliant, and some large organisations such as Microsoft are not concerned, having said in relation to its business customers, "For Microsoft's enterprise cloud customers, we believe the clear answer is that yes they can continue to transfer data by relying on additional steps and legal safeguards we have put in place." However, others may not be so confident and data transfer arrangements to the US should be checked and reviewed. If necessary, companies may need to consider what alternative or additional solutions can be implemented for transferring personal data to the US if they can no longer rely on Safe Harbor.

What alternatives are there to Safe Harbor?

• There are various exemptions under the EU Data Protection Directive to the general prohibition on transfers outside the EEA. The most relevant exemptions which companies should consider are:
  • Model Contract Clauses – The EU data exporter and the US data importer can sign up to an EU approved form of standard ‘Model Contract Clauses’ which provide the required degree of protection to permit personal data to be transferred outside the EEA. The Model Contract terms must be signed 'as is' and cannot be varied if they are to offer the parties the protection required. These would need to be signed or added to an existing contract with each customer so would not be a small undertaking for US suppliers with a large European customer base. There are also obvious implications where sub-contractors are involved.
  • Binding Corporate Rules – Companies can implement corporate rules for transfers if they are sharing personal data with their US group companies. However, there are various hoops to jump through such as obtaining approval from the relevant EU data protection authority so these can take a while to put in place.
  • Consent and Purpose of Contract – These exemptions refer to obtaining the ‘free and informed’ consent of the data subject and where the transfer is necessary for the purposes of a contract.  However, where the transfer is systematic or on a very large scale, these exemptions may be hard to justify, for example, where there is no genuine ability for a data subject to give the required consent.
• One obvious but perhaps not very feasible alternative option is to keep data within the EEA and not transfer it to the US. This may be more practical for some organisations than others, depending on whether there are already any data processing operations in Europe but in any event is likely to incur significant time and cost.

What will happen now?

• The EC has said it will provide clear guidance to prevent local data authorities issuing conflicting rulings. It will offer assistance and help to businesses on how to facilitate data transfers in light of the decision with relevant information to be posted on its website.
• The UK Information Commissioner’s Office ("ICO") has also given a public statement which expressly recognises that this ruling is clearly significant, saying that it will be considering the judgment in detail and will issue further guidance for businesses on the options open to them. The ICO’s response to the ruling can be accessed here.

Is there cause for concern and what should US data processors do?

• For the time being at least, Safe Harbor can no longer necessarily be relied on and organisations affected must find other ways to ensure that they are compliant with EU laws. However, they can perhaps take some comfort in the short-term that there are going to be thousands of businesses in the same boat who, encouraged by the relevant authorities, relied on Safe Harbor. Indeed, the ICO in its public statement acknowledged that it will take some time for businesses to review how they ensure legal compliance. It is therefore extremely unlikely that there will be any enforcement action immediately.
• US data processors are, we suspect, likely to see many more requests to enter into the Model Contract Clauses which could be very repetitive and extremely time-consuming. All concerned should perhaps just wait a little while and let the dust settle to see what guidance emerges from the authorities as it undoubtedly must.
• In the first instance US data processors may be well-advised to at least be proactive as far as their customers are concerned in acknowledging that they are aware of the development and perhaps issuing a blanket ‘Model Contract’ and a commitment to abide by it. Even if that is not strictly what data protection legislation requires, it would show a willingness to comply and it might avoid the short-term need to sign up to hundreds if not thousands of individual sets of the Model Contract Clauses.

Further updates and advice

We will be keeping a watch on any guidance provided by the EC and the ICO and will update this article accordingly. If you would like any further information or advice on the effect of this ruling, please contact us at info@TRGlaw.com.

9^th October 2015

back to archive

© 2012 - TRG Law Limited | legal notices | privacy & cookies | sitemap | website design and hosting by projectfive
tel: +44 (0) 1483 730303  email: info@TRGlaw.com