Storm over Safe Harbor

Last month the Court of Justice of the European Union (CJEU) ruled that the “Safe Harbor” scheme, used by many organisations as the legal basis for transferring personal data to the United States, does not comply with EU data protection laws. The case involved a challenge by Austrian student Max Schrems in the Irish courts in relation to transfers of personal data by Facebook’s EU subsidiary, to servers in the United States.

What is Safe Harbor?

Safe Harbor is a self-certification scheme managed by the US Federal Trade Commission, approved by the European Commission in 2000 for the purposes of the eighth data protection principle.

The eighth principle states that personal data may not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Safe Harbor was intended to provide EU data controllers with a level of comfort that personal data would be properly protected by the recipient, notwithstanding the absence of adequate data protection laws in the US.

As such, Safe Harbor is used by many organisations in Europe as a streamlined way to transfer personal data to the US in compliance with EU data protection rules. Such transfers frequently arise when using cloud-based technology and data centres or other outsourced services, and on intra-group data transfers for those with operations on both sides of the Atlantic. More than 5,000 US organisations are Safe Harbor-certified, including a number of major technology companies and international businesses.

Why did the CJEU rule Safe Harbor unlawful?

The European Court’s concerns relate to a perceived failure of Safe Harbor to protect the personal data of EU citizens from surveillance by US law enforcement agencies. These concerns have been expressed on a number of occasions following the revelations by Edward Snowden, and discussions were already ongoing between the EU and the US about ways in which Safe Harbor can be reformed to protect EU citizens better.

In short, the CJEU held that the blanket approach to authorisation is incompatible with the requirements of EU data protection laws.

Safe Harbor does not limit access to data about EU citizens by US law enforcement agencies, nor provide any rights of redress in relation to such access. The unfettered access enjoyed by such agencies is inconsistent with article 8(2) of the Human Rights Convention.

The court also ruled that approval by the Commission of a mechanism such as Safe Harbor to transfer personal data outside the EEA does not discharge national data protection authorities (such as the UK’s Information Commissioner) from their duties to investigate complaints from data subjects that such transfers breach EU data protection laws.

What are the consequences of the ruling?

The immediate effect of the ruling is to invalidate the legal basis on which many organisations transfer personal data to the United States, causing considerable uncertainty.

While there are other ways of complying with the eighth principle on such transfers, identifying the relevant processing arrangements and putting those new measures in place will be time consuming and administratively challenging.

In any event, the use of those other mechanisms, such as the European Commission’s approved Model Clauses or Binding Corporate Rules, is also potentially open to challenge on the same basis as the concerns expressed by the CJEU in the Schrems decision. Neither of these approaches provides any greater protection than Safe Harbor against access to personal data by national law enforcement agencies.

A statement issued by the Article 29 Working Party (A29WP), a grouping of the various national data protection authorities, acknowledges this and states that more time is needed to consider the impact of the ruling. A subsequent statement issued by the German data protection authorities said they are now “doubtful” over the validity of the Model Clauses or Binding Corporate Rules for data transfers to the US, and that they will not be approving any new transfers of personal data to the US for the time being.

The decision may also raise questions about the legality of data transfers to other countries outside the EEA, where local law enforcement agencies enjoy similar rights to those in the US.

What else are the regulators saying?

Whilst opinions of the A29WP have no formal legal standing, they do reflect the collective views of the national data protection authorities in terms of how they will interpret EU privacy laws. The A29WP also said that:

• the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis;
• the decision makes it clear that transfers still taking place under Safe Harbor are unlawful;
• it is absolutely essential to have a robust, collective and common position on the implementation of the judgment;
• pending the A29WP’s further analysis of the decision on other transfer tools, the Model Clauses and Binding Corporate Rules can still be used; and
• member states and the European institutions should “urgently” open discussions with the US to find legal and technical solutions that enable personal data to be transferred there in a manner that complies with EU law.

The A29WP goes on to say that the national data protection authorities have given the European Commission and the US authorities three months to propose a replacement for Safe Harbor that complies with EU privacy laws before enforcement action will be taken against its continued use: “If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”

What has the UK Information Commissioner said?

The Information Commissioner’s Office (ICO) is a member of the A29WP. The ICO has acknowledged that there remains uncertainty on the effect that Schrems will have on the use of other data transfer mechanisms approved by the European Commission.

While the CJEU struck down the European Commission’s decision approving Safe Harbor, the ICO’s view is that Safe Harbor still provides a measure of protection for personal data. Personal data is at no greater risk than it was immediately before the CJEU issued its judgment.

For that reason, the ICO says that it will not be rushing to use its enforcement powers while there remains so much uncertainty. Instead the ICO has said that it will be working with its fellow national data protection authorities to review the wider impact of the decision and provide a common approach from regulators across the EU.

What should data controllers be doing?

• Don’t panic – the ICO is still reviewing the impact of Schrems on other data transfer mechanisms, and says organisations should not rush to adopt other mechanisms that may turn out to be less than ideal. Data controllers should be wary of “quick fix” data protection addenda offered by US-based suppliers.
• Take stock – in the meantime, the ICO says data controllers should work out what data transfers they have in place, what data are involved and what alternative arrangements could be used in place of Safe Harbor if no progress is made on a replacement scheme.

Data controllers may also want to consider whether it is still necessary to transfer personal data to the United States. For example, could the processing be carried out in the EU? Is the transfer actually necessary?

The ICO also reminds organisations that the UK Data Protection Act allows data controllers to make their own findings of adequacy in relation to transfers of personal data outside the EEA. However, given the basis on which the CJEU has struck down Safe Harbor, it is difficult to see how any data controller could now confidently make a finding of adequacy in relation to a US data transfer. It does not matter what diligence is done or what contract terms are put in place – those surveillance rights will continue to exist.

Safe Harbor 2.0

As the ICO says: “We can’t create legal certainty where there is none.” It is clear that national data protection authorities are hoping the new data transfer pact being discussed between Europe and the US (“Safe Harbor 2.0”) will provide the solution. The ICO asks businesses (in particular multinationals) to urge member states, the European Commission and the US authorities to push this forward.

At the end of October, Commissioner Jourova announced that the European Commission had “agreed in principle” with the US on a new pact for trans-Atlantic data transfers. However, it is clear that work still needs to be done to ensure the new pact satisfies the requirements of the CJEU. That means clearer controls on access to the personal data of Europeans by US intelligence services, greater transparency, and stronger oversight by the US Department of Commerce.

Commissioner Jourova anticipates significant progress being made on these points by mid-November. Watch this space.