Client Bulletin: What Does the Demise of the U.S.-EU Safe Harbor Mean to Personal Data Transfers?

By: William B. BakerLindsey Schek Gillespie

On October 7, 2015, the European Union Court of Justice ruled that an important method by which personal data can be transferred from the EU to the United States violates European law. The decision, which comes in a case involving Facebook, will directly affect the approximately 4,500 businesses that have relied – for the past 15 years – on the “Safe Harbor” arrangement negotiated between the Department of Commerce and the European Commission to allow personal data to be transferred from the EU to the United States. 

In particular, any company that transmits personal data – employee, customer, or other – from the EU to the U.S. under the Safe Harbor must evaluate the effect of the decision on its operations. Likewise, any U.S. company that receives personal data – even if only via a web browser – from the EU under the Safe Harbor will also face new complications.

The case arises under Article 25 of the European Data Protection Directive of 1995, which generally prohibits the transfer of personal data from the EU unless the receiving nation has “adequate privacy protections” enshrined in law that essentially equate to European privacy standards. Thus far, Europe has never found the United States to provide adequate privacy protections.

Nevertheless, to allow digital age commerce to take place, in the late 1990s the U.S. Department of Commerce and the European Commission negotiated a Safe Harbor Privacy Framework (a similar Safe Harbor exists between the U.S. and Switzerland, which is unaffected by the EUCJ decision) that permitted the transfer of personal data from the EU to the U.S. subject to certain conditions. Under the Safe Harbor, U.S. companies would self-certify to the Department of Commerce their adherence to a set of data management standards that the European Commission found to be “adequate.” Failures to live up to the standards in the self-certification would be subject to enforcement by the Federal Trade Commission.

The Safe Harbor took effect in 2000, and business has been conducted in reliance on its terms for 15 years. Approximately 4,500 businesses have self-certified to the Department of Commerce, subject to enforcement by the FTC. The cumulative amount of data transfer based on the Safe Harbor is unimaginably vast. Transfers have occurred between European subsidiaries and U.S. parent companies, from European businesses to U.S. cloud storage vendors, within the European and U.S. branches of multinational corporations, and from European users of U.S.-based Internet websites and web services. 

The Safe Harbor framework has faced significant criticism over the years. European critics have argued that U.S. companies often do not provide sufficient transparency regarding their data practices and that the FTC does not really enforce the Safe Harbor. In addition, after the Snowden revelations, critics have also argued that American law enforcement authorities have excessive access to the personal data of European citizens stored in the U.S.

The EUCJ decision came in a case initiated by an Austrian law student named Maximilian Schrems against Facebook Ireland (which transfers Facebook data to the U.S.). The Court held the Safe Harbor invalid because it does not afford an “adequate” level of data protection. 

The immediate implication of the ruling is that transfers of personal data from the EU to the U.S. currently done under the Safe Harbor are no longer lawful unless they are also authorized by a European Data Protection Authority or fit within a legal exemption. The ruling does not immediately affect two other important bases for cross-border data transfers: (1) model contract clauses, and (2) binding corporate rules. Although the EUCJ’s criticism of the purported ability of U.S. law enforcement to access the personal data of EU citizens logically could apply to those as well, no court or data protection authority has yet ruled that these mechanisms are invalid. 

So what should you do if your company has operated under the Safe Harbor?

First, take inventory of what personal data your company handles and whether you receive it in the U.S. from an entity (either a corporate affiliate or an independent company) located in the European Union. In addition, determine under what authority such data have been and are being transferred to the U.S., and what controls apply to such data once they arrive on this side of the Atlantic.

Second, you should review your privacy policy to see what, if anything, it says about the Safe Harbor. 

Third, if you were in the Safe Harbor, continue to operate on the basis of the Safe Harbor commitments. You have committed to do so publicly, and nothing in the EUCJ decision frees you to disregard your pledge to do so. However, there appears to be no reason to renew your certification or apply for self-certification if you had not previously done so.

Fourth, multinational corporations using the Safe Harbor to transfer data from EU subsidiaries to the U.S. parent are likely big targets and should act swiftly to put in place an alternative mechanism such as model contracts.

Fifth, when a European company transfers data to the U.S., the European company must ensure that the U.S. entity has taken steps to comply with European data protection requirements, and are subject to penalties if they allow data transfers to providers in countries that lack “adequate” data protection. If your company receives data from a European company, you will likely be asked to provide some alternative bases in order for their European customers to use their services lawfully. Likewise, a U.S. company that imports personal data from a vendor in the EU should check with its vendor to understand the legal basis for the transfer.

Sixth, where a U.S. company wants to invoke the “model clauses” option, it will need to find an entity in the EU that can serve as the data controller with which it contracts. This could take some time and introducing a data controller into the mix could disrupt the U.S. company’s current operations. 

What will happen going forward with respect to data transfers from the EU to the U.S. is currently unclear. At the moment, European authorities are urging U.S. companies to have patience, and the data protection authorities are expected to issue some recommendations soon. Among the issues that presumably will be addressed is whether the EUCJ decision will have retroactive effect. 

Even absent the Schrems case, the Safe Harbor framework itself was likely to change. The United States government and the EU have been negotiating a revised Safe Harbor for several years to address a number of concerns raised by European critics. In a statement, Commerce Secretary Penny Pritzker said the EUCJ decision “necessitates release of the updated Safe Harbor Framework as soon as possible,” although the decision may give the European side some additional bargaining leverage. 

What’s more, the underlying European law is likely to change with the expected adoption by the EU of a General Data Protection Regulation, which might take effect by 2018. Although it appears from the current draft that the Regulation will not significantly alter the basic outlines of European data protection law, it probably would have necessitated revisions to the Safe Harbor in any event. The EUCJ decision has made this more urgent.

Finally, an important element of any new regime is that European citizens obtain the right to sue the U.S. government for data protection violations. This would be fixed by the Judicial Redress Act, currently pending in Congress, which would allow EU citizens to file lawsuits against the U.S. government just as U.S. citizens can sue under the Privacy Act of 1974. That legislation has not been considered particularly controversial, but the EUCJ decision may change the politics in Congress.

One last additional unknown is whether many other European individuals will emulate Mr. Schrems by filing complaints with Data Protection Authorities, or whether such complaints will be rare. Unfortunately, Google’s experience with the European “right to be forgotten” suggests that the number of Europeans that will act upon their new power to challenge personal data transfers to the United States could be significant. 

Whatever the degree of public activism in Europe, U.S. companies that have relied on the Safe Harbor will need to prepare to operate under new and different conditions. Experienced Potomac Law Group attorneys can help you navigate through this new and uncertain environment.


This bulletin is not intended as legal advice.  Readers should seek professional legal counseling before acting on the information it contains.