EU-US data transfers 'invalid' if made under 'safe harbour' regime, rules EU court

Out-Law News | 06 Oct 2015 | 1:03 pm | 4 min. read

A legal mechanism which enables companies to transfer personal data between the EU and the US is invalid, the EU's highest court has ruled.

The Court of Justice of the EU (CJEU) said the 'safe harbour' regime does not provide adequate data protection, as required by EU law when personal data is sent outside of the European Economic Area.

The ruling means that thousands of businesses will have to find alternative ways of transferring personal data between the EU to the US to remain compliant with EU data protection rules.

Information law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "The judgment means there is greater uncertainty for US businesses that have relied on adopting the safe harbour standards for meeting the requirements of EU data protection laws on data transfers. A new Safe Harbour Agreement is in the pipeline but, as this ruling makes clear, it will no longer be binding on data protection authorities, opening up the prospect that businesses' EU-US data transfer arrangements will be scrutinised in more detail in future."

"Absent a replacement safe harbour regime, many US businesses will now be looking for alternative mechanisms to transfer data from the EU compliantly. The most obvious alternative in many cases will be to adopt model contract clauses that have been developed to enable transfers of personal data outside of the EU," he said.

"However, like the safe harbour regime, model clauses have been approved by the European Commission, giving rise to the possibility that similar challenges could be brought against the adequacy of data protection provided for when model clauses are relied on for transferring data to third countries," said Dautlich.

The UK's Information Commissioner's Office (ICO) said the CJEU's judgment means businesses that have relied on the safe harbour framework "need to review how they ensure that data transferred to the US is transferred in line with the law".

Deputy information commissioner David Smith said that he recognised that review process would take businesses "some time". He said the ICO plans to issue new guidance for businesses on data transfers in the coming weeks after liaising with other data protection authorities in the EU, and that he understands discussions on a new Safe Harbour Agreement are "well advanced".

The ability to transfer personal data outside the European Economic Area is restricted under the EU's Data Protection Directive. Only where "adequate protections" are in place, or where the destination country has been pre-approved by the European Commission as having adequate data protection, can data transfers go ahead.

The US has not been designated as meeting the 'adequacy' standards, but in 2000 the Commission agreed a framework with US officials to facilitate the transfer of personal data from the EU to the US. The Safe Harbour Agreement meant that US organisations that self-certified compliance with the requirements of the safe harbour regime were deemed as having met the 'adequacy' standards outlined in the EU Directive.

However, that framework has now been ruled as invalid by the CJEU. Companies can put in place other measures to transfer personal data. In 2001 the Commission created 'model clauses', since updated, that businesses can adopt which help them to meet the 'adequacy' standards of EU data protection laws when transferring personal data outside of the EU.

Companies can also implement 'binding corporate rules' (BCRs) for intra-group data transfers around the world, in consultation with data protection authorities. BCRs involve companies committing in effect to a code of conduct for handling and protecting personal data in a way which accords with the requirements of EU data protection law when transferring that data to other companies in their group in non-EEA locations.

The CJEU's judgment came in a case referred to it from the High Court in Ireland. The Irish court has been reviewing a complaint raised by a privacy group about the way Ireland's data protection authority handled concerns it had raised with Facebook's data transfer arrangements.

The Irish watchdog declined to investigate the campaigners' complaint, arguing that it was bound by the Commission's decision in 2000 that the EU-US safe harbour regime adhered to EU data protection laws. However, the CJEU has now ruled that national data protection authorities are not bound by the Commission's decision and that they are free to investigate complaints about data transfers when new issues come to light.

The Court said, though, that only it has the power to rule whether decisions taken by the Commission in relation to data transfers are valid or not.

The Commission has been in negotiations with US counterparts over a new Safe Harbour Agreement. It opened those negotiations in the aftermath of details of the alleged surveillance capabilities and practices of the US' National Security Agency and other intelligence gathering bodies being made public by whistleblower Edward Snowden in 2013.

The CJEU, relying on the Commission's own assessment in light of the Snowden revelations, said that US intelligence agencies had the ability to process personal data for purposes "beyond what was strictly necessary and proportionate to the protection of national security".

It said that there are insufficient restrictions on how the US authorities can use data transferred to the US from the EU and that therefore the safe harbour regime does not respect privacy in the way required under EU law. The fact EU citizens do not have a judicial right to redress in the US if their data is mis-handled also counted against the safe harbour regime, according to the ruling.

Last month the European Commission confirmed that it has provisionally agreed a new privacy framework that will apply to personal data transferred to US law enforcement agencies. The EU-US data protection 'umbrella agreement' will not of itself provide a lawful authority for the transfer of the data to the US from the EU but will instead apply a range of privacy "protections" to data that is exchanged between law enforcement agencies in the EU and US, the Commission said.

EU justice commissioner Věra Jourová confirmed, however, that the new agreement would not come into effect until new legislation is passed by the US Congress to give EU citizens a right to judicial redress in the US where their data is misused by US agencies.