With EU Safe Harbor Invalidated, Companies Ask: What Now?

Rebecca TorreyPartner, The Torrey Firm

What happens now?

That is the question that businesses across the country are asking after the Court of Justice of the European Union (CJEU) threw out the Safe Harbor agreement between the United States and the European Union, leaving a wake of uncertainty about the international transfer of data.

The 15-year-old agreement required companies in the United States to self-certify that they are in compliance with seven principles in the EU’s standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. Administered by the U.S. Department of Commerce, the agreement permitted American countries to transfer data from the EU to the United States without fear of violating the more stringent data laws found in the European Union.

But after Edward Snowden’s revelations about the surveillance activities of the National Security Agency (NSA), Austrian citizen Max Schrems filed a complaint requesting that the Data Protection Commissioner (DPC) of Ireland prohibit a social networking site from transferring his personal data to the United States. Schrems argued that the United States did not ensure adequate protection of his data as required by EU law because of the surveillance activities Snowden exposed.

The DPC refused to investigate the complaint, noting that there was no evidence that the NSA had accessed Schrems’ personal data. Schrems appealed to the Irish High Court, which stayed the proceedings and referred questions to the CJEU, including the validity of the Safe Harbor.

In an opinion still being processed and discussed by legal entities on both sides of the Atlantic, the CJEU ruled not only that the DPC should have investigated Schrems’ complaint, but also that the principles behind the EU’s data laws required that the Safe Harbor agreement be invalidated.

The transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited, the court wrote, and the United States failed to meet this standard for multiple reasons, including that American companies must comply with U.S. law if it imposes an obligation conflicting with the Safe Harbor Principles. In addition, governmental entities are not required to comply with the Safe Harbor, and the broad exemption for “national security, public interest or law enforcement requirements” meant the NSA had access to the data of EU citizens.

“National security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements,” Europe’s highest court wrote. “The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons.”

Companies with a European presence are now left wondering how to handle the trans-Atlantic transfer of data. Without the Safe Harbor framework in place, businesses may opt to keep data in the EU in lieu of sending it to the United States. European countries are now free to create their own data regulations, setting up a potential patchwork of laws that U.S. companies would be required to navigate when dealing with data overseas.

Two other options are available to U.S. businesses: one, known as binding corporate rules, requires an entity to establish company-wide policies and procedures for handling European personal data and make them binding on all relevant affiliates. The company must share its plan with citizens from the relevant countries (so that they can seek enforcement if they believe the policies are being violated) and obtain approval from each relevant European data protection authority. Better suited to large corporations, this path requires time and expense.

Model contracts offer another possible means of compliance for companies. Standard contract clauses adopted by the European Commission, the model contract between a European data controller and a U.S. business, establishes the obligations for data transfer and security.

To read the opinion in Schrems v. Data Protection Commissioner, clickhere.