Recent News - What The ECJ's Safe Harbor Ruling Means for Businesses Dealing in EU Data

Bookmark and Share

Oct 06

Annie Allison

What The ECJ's Safe Harbor Ruling Means for Businesses Dealing in EU Data

Posted by Annie Allison

The European Court of Justice (“ECJ”) declared today that the Safe Harbor data-transfer agreement that has allowed EU data to flow across the Atlantic for the past 15 years is now invalid!  

The decision comes as regulators are working to update the 15-year-old Safe Harbor framework amid increased scrutiny of U.S. privacy practices following the revelations of government whistleblower Edward Snowden.

Today’s ruling impacts more than 4,000 European and American companies who rely on the Safe Harbor agreement to operate businesses in the EU and outsource data processing of EU users’ data to the U.S. 

Under the EU's Charter of Fundamental Rights, citizens are guaranteed the protection of their personal data, a right not necessarily guaranteed here in the U.S.  Under the Safe Harbor agreement, U.S. companies could “self-certify” that they met the more-stringent European privacy protection laws in order to handle EU data across EU borders.  

In a press conference on today’s ruling, the European Commission’s First Vice President, Frans Timmermans, said: “Today’s judgement by the court is an important step towards upholding European’s fundamental rights to data protection. The court confirms the need of having robust data protection safeguards in place before transferring citizens' data.”  

But the ruling also ushers in a period of uncertainty for businesses until the U.S. Department of Commerce and the European Commission can agree to put a new U.S.-EU Safe Harbor framework in place.  The indications for this are promising based on comments from both sides. 

The U.S. Secretary of Commerce, Penny Pritzker, commented that “The court’s decision necessitates release of the updated Safe Harbor Framework as soon as possible,” adding that the Department of Commerce is “prepared to work with the European Commission to address uncertainty created by the court decision so that the thousands of U.S. and EU businesses that have complied in good faith with the Safe Harbor and provided robust protection of EU citizens’ privacy in accordance with the Framework’s principles can continue to grow the world's digital economy.”

For the EU’s part, Timmermans assured that today’s ruling will not stall progress, “[W]e will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic. In the meantime transatlantic data flows between companies can continue using other mechanisms for international transfer of personal data available under EU data protection law.”  

As businesses look to ensure compliance in the interim, it will be critical to assess those “other mechanisms” and to and prioritize current data transfers.  While we wait for Safe Harbor 2.0, the European Commission sites the following “other mechanisms” for international transfer of personal data from the EU:

  • Standard data protection clauses in contracts between companies exchanging data across the Atlantic; and
  • Binding corporate rules for transfers within a corporate group.

The European Commission points out that data can also be transferred on the basis of:

  • Performance of a contract (for example, if someone from the EU books a hotel in the U.S., personal data will be transferred in order to fulfil the contract);  
  • Important public interest grounds (for example, cooperation between authorities in the fight against fraud, cartels, etc.);
  • The vital interest of the data subject (for example, transfer of medical records in urgent life or death situations); as well as
  • Free and informed consent.

Today’s ruling originated in a case brought against Facebook by Austrian privacy activist Max Schrems in light of the Edward Snowden revelations, which exposed how U.S. intelligence agencies surveiled commercial Internet services. Snowden's 2013 revelations on the extent to which U.S. intelligence services were able to access personal information held by companies such as Google and Facebook led the ECJ to begin reexamining the Safe Harbor agreement with U.S. authorities.

That same year, Max Schrems, a law student from Austria, filed a complaint with the Irish Data Protection Commissioner (“DPC”) about the way his personal data was being handled by Facebook in Ireland.  The DPC rejected Schrems's complaint, holding that Facebook's transfer of his data to the U.S. complied with the Safe Harbor rules. Schrems’ appeal of the ruling wound its way up to the ECJ.  Today’s ruling from the ECJ made clear that the Irish DPC has a duty to investigate – but the ECJ took matters one step further, deciding that the Safe Harbor agreement was invalid because it only bound companies, and not U.S. intelligence and law enforcement agencies.