Out-Law / Your Daily Need-To-Know

The CJEU's safe harbour ruling – the questions and answers in the aftermath

Out-Law Analysis | 07 Oct 2015 | 3:49 pm | 4 min. read

FOCUS: On Tuesday the EU's highest court ruled that the 'safe harbour' framework, that facilitates the flow of personal data from the EU to the US, is invalid.

The judgment by the Court of Justice of the EU has created uncertainty for businesses. Companies want to know how the judgment will affect them, what actions, if any, they need to take, and what steps are being taken by the EU institutions and regulators to help them continue transferring personal data in a way that complies with EU data protection laws.

Q: Reports so far have varied on how serious the implications of the judgment are at a practical level for companies. What will be the immediate impact on them?

A: If they are themselves using safe harbour, they should urgently review the position, and consider other mechanisms that enable data transfers as an alternative, for example EU model contract clauses. If their suppliers or business partners are using safe harbour, the customer organisation should be urgently seeking an update from their supplier or business partner as to what alternative mechanism they are proposing to put in place, and when.

Q: What guidance can be expected from the ICO and other data protection authorities around the EU?

A: The advisory body comprising representatives from each of the 28 EU data protection authorities, the Article 29 Working Party, is considering the judgment this week in a meeting convened for this purpose. The ideal position is that they provide guidance on the interpretation and practical application for companies of the judgment, as soon as possible.

The judgment is limited to the safe harbour mechanism, but the problems identified by the court with that mechanism potentially extend to other transfer mechanisms, such as EU model contract clauses. The Article 29 Working Party needs to issue guidance as soon as possible on its collective position on such issues – see the preliminary view expressed below.

Meanwhile, companies should monitor the press releases issued by their national data protection authority. In the UK, the Information Commissioner's Office has already issued a statement, making clear its position that data controllers will have some time to transition.

Q: How will the judgment affect the long ongoing negotiations between the US and the European Commission to agree a new version of safe harbour?

A: The ideal position is a swift resolution to those negotiations, so that a new version of safe harbour can be launched. Whether this is feasible depends on how effectively the parties have anticipated and addressed the shortcomings in safe harbour identified in the judgment, and reached agreement on the alleged deficiencies in the scheme’s enforcement mechanisms and transparency that have previously been identified by the Commission. Some of these engage political matters that require legislative change in the US. The negotiations may not conclude any time soon.

Q: How has the European Commission reacted to the judgment?

A: EU commissioners Frans Timmermans and Vera Jourová held a press conference following the judgment on Tuesday. Timmermans said the Commission "will come forward with clear guidance for national data protection authorities on how to deal with data transfer requests to the US, in the light of the ruling". He said the guidance "should help avoiding a patchwork of potentially contradicting decisions by the national data protection authorities and therefore provide predictability for citizens and businesses alike".

Jourová said she had spoken with Article 29 Working Party chair Isabelle Falque-Pierrotin, who heads the French data protection authority CNIL, and agreed on the need for a coordinated response to the ruling. She also outlined the alternative mechanisms businesses can use, now the safe harbour regime has been deemed invalid, to transfer personal data outside of the EU.

"The EU data protection rules provide for several other mechanisms that provide safeguards for international transfers of personal data, for instance through standard data protection clauses in contracts between companies exchanging data across the Atlantic or binding corporate rules for transfers within a corporate group," Jourová said.

"Also the data protection rules include derogations under which data can be transferred on the basis of: performance of a contract [e.g. If you book a hotel in the U.S., my personal data are transferred there in order to fulfil the contract]; important public interest grounds [e.g. cooperation between authorities in the fight against fraud, cartels, etc.]; the vital interest of the data subject [e.g. it means in urgent life or death situations, personal data such as medical records can be transferred internationally in the person's own interest]; or if there is no other ground, the free and informed consent of the individual," she said.

Q: How have others responded to the ruling?

A: Trade body the Internet Association, which boasts companies such as Google, Amazon, Facebook and Uber as members, said the ruling could present "significant challenges" for small businesses.

Internet Association president and chief executive Michael Beckerman urged the EU and US to "join forces to implement a revised safe harbour framework and to issue interim guidance to stakeholders pending this implementation".

The US government expressed its disappointment in the ruling. US secretary of commerce Penny Pritzker said the safe harbour regime "has proven to be critical to protecting privacy on both sides of the Atlantic and to supporting economic growth in the United States and the EU".

She said the decision "does not credit the benefits to privacy and growth that have been afforded by this Framework over the last 15 years", and said the ruling "necessitates release of the updated safe harbour framework as soon as possible".

Microsoft has tried to reassure some of its cloud customers about the impact of the ruling. In a blog, president and chief legal officer Brad Smith said: "Some customers may ask if this means that they will no longer be able to transfer their customer data from the European Union to the United States. For Microsoft’s enterprise cloud customers, we believe the clear answer is that yes they can continue to transfer data by relying on additional steps and legal safeguards we have put in place." 

"This includes additional and stringent privacy protections and Microsoft’s compliance with the EU model clauses, which enable customers to move data between the EU and other places – including the United States – even in the absence of the safe harbour," he said.

Marc Dautlich is a data protection law expert at Pinsent Masons, the law firm behind Out-Law.com.