EU Top Court Invalidates Safe Harbor and Sends Facebook Case Back to Irish Data Protection Authority
UPDATE: Here's a link to the English-language version of the ECJ's full decision: Schrems Safe Harbor Decision
A press release issued by the Court of Justice of the EU (ECJ) regarding its decision in the Schrems Safe Harbor case (C-362/14) confirms that the ECJ has declared Safe Harbor invalid. The ECJ has sent the case back to the Irish Data Protection Authority to determine whether Facebook Ireland’s transfer of personal data to the US is permitted under EU data protection law, in light of Facebook’s participation in the NSA’s PRISM program. We are awaiting publication of the decision and will report further after it becomes available.
In the meantime, here’s the background to this decision and some suggestions for what to do next if your company relies on Safe Harbor:
The European Union’s Data Protection Directive (1995) prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an adequate level of privacy protection. Soon after the Directive was passed, the European Commission determined that the US doesn’t offer adequate levels of protection. The EU and the US negotiated the Safe Harbor agreement in 2000 to allow US companies to self-certify that they provide protections that are equivalent to the requirements of the Data Protection Directive.
Currently, over 4,500 US companies rely on the EU-US Safe Harbor program to make their transfer of personal data from the EU to the US legal under European privacy laws.
If your company relies exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, it will need to find another basis for the transfer as soon as possible. The primary options are:
- Consent of the data subject to the transfer. In most circumstances, the consent needs to be explicit and fully informed to be valid. It’s also important to keep records of the consent in case there’s a challenge.
- Binding corporate rules for intragroup transfers. BCRs need to be approved by the relevant national information commissioners, and this is a lengthy process (potentially 18 months or more). So while this is a longer term option, it won’t help if Safe Harbor is not available. Also, BCRs are vulnerable on the same grounds as Safe Harbor.
- Contracts between the exporting and receiving entities. The European Commission has provided model clauses that can be incorporated into agreements to ensure adequate protection of the transferred personal data. However, see the cautions below.
- In the UK, companies may be able to make their own adequacy determinations under guidance issued by the UK’s Information Commissioner’s Office.
There’s a very important caveat that would apply to all of these alternatives except possibly the data subject consent option: BCRs and model contracts require the data recipients essentially to promise that the data will be protected to the same level as in the EU. If your company could receive a subpoena from the NSA or other US government agency to disclose the personal data of EU residents, then the BCRs and contracts (and UK adequacy determinations) would presumably face the same weakness that the Safe Harbor faces: a fundamental incompatibility between EU data protection law and the powers of US government agencies to conduct intelligence operations and require US companies to comply.