The ‘Safe Harbor’ Scheme Coming Under Challenge

By: Ron Moscona, a partner in Dorsey & Whitney’s London Office

The Court of Justice of the European Union (“CJEU”) held yesterday, in its decision in Schrems v. Data Protection Commissioner[1], that the decision of the European Commission of July 2000 which provides the legal basis under EU law for the “Safe Harbor” scheme is invalid.

Further, the CJEU held that the Irish Data Protection Commissioner, before whom the case was originally brought, must investigate the matter and decide whether the transfer of personal data to the U.S. by U.S. companies that signed up to the Safe Harbor scheme (Facebook, in the case at hand)  should be suspended on the grounds that the U.S. does not ensure an adequate level of protection to personal data transferred from the EU.

In this note we will explain the ramifications of this decision and our recommendations for U.S. companies that rely on the Safe Harbor scheme to process personal data collected in the EU in their data centres in the U.S..

The Safe Harbor scheme

EU data privacy legislation[2] restricts the transfer of personal data to any territory outside of the EU which does not provide adequate protection to privacy rights. The Safe Harbor scheme was set up in 2000 in order to facilitate the free flow of personal data to the U.S. (which, in general, is considered to be a jurisdiction that does not provide an equivalent level of protection to privacy rights as required under EU legislation). To bridge the gap, the Safe Harbor scheme proceeds on the basis of two elements: (i) a commitment by organisations participating in the scheme to abide by privacy rules reflecting the principles of EU data privacy legislation coupled with self-certification, and (ii) enforcement powers by U.S. agencies (predominantly the Federal Trade Commission).  Participation in the Safe Harbor scheme is voluntary, but the rules are binding on those organisations that do so.

Background to the CJEU ruling

At the heart of the case that was brought before the CJEU is the controversy arising from the revelations made by Edward Snowden in 2013 in relation to the alleged mass surveillance of electronic communications carried out by the U.S. national security and law enforcement agencies. The EU would like to ensure that such surveillance activities by U.S. agencies are carried out proportionately, subject to proper judicial oversight and open to challenges by affected EU residents through the U.S. courts.

While U.S. authorities have publicly disputed the allegations of mass indiscriminate surveillance, the U.S. government has announced significant changes in its surveillance practices since the Snowden revelations broke out and the President has directed the intelligence and law enforcement authorities to ensure the same level of protection that U.S. law extends to U.S. citizens and residents to citizens of other countries whose data may be subject to surveillance. These steps were taken in order to address the concerns raised in Europe and in response to threats made by politicians across Europe to suspend data flows into the U.S..

In November 2013, in two Communications to the European Parliament and the EU Council, the EU Commission identified weaknesses in the Safe Harbor scheme and promised to rectify the situation.  Since then, the EU Commission has engaged in negotiations with the U.S. government to address the issue of the protection of personal data flowing from the EU and to modify the Safe Harbor scheme. But a new deal has been stalled, most recently (as reported) by disagreements over provisions on data sharing with U.S. law enforcement agencies.

Over the last few days, since the publication of the Advocate General’s opinion in the Schrems case, both U.S. officials and their counterparts in the EU Commission have made public announcements claiming that a new deal for the Safe Harbor is near completion.

What did the CJEU decide?

The CJEU held that the decision of the EU Commission of July 2000 by which the Commission (in accordance with its powers under EU legislation) adopted the Safe Harbor scheme, is invalid. The Court considered that the Safe Harbor scheme provided too broad exceptions for national security, public interest and domestic legislation.

The Court’s decision to invalidate the decision of the Commission on the Safe Harbor was also informed by concerns raised in the EU Commission’s Communications to the Parliament and the Council of November 2013, by which the Commission raised concerns regarding the Safe Harbor scheme and the manner in which it operates in practice in the U.S.. Among other issues, the Commission raised the issue of unrestricted access to personal data that is allegedly given to U.S. intelligence agencies by companies that signed up for the scheme, and the lack of judicial oversight over intelligence activities and legal redress for EU citizens whose data is jeopardised. The Court pointed out that similar matters were also identified by the Irish High Court (sitting on appeal on the decision of the Data Protection Commissioner) based on the evidence submitted in the Schrems case.

The other limb of the CJEU’s decision is that national regulators must investigate complaints alleging that a third party does not ensure an adequate level of protection to personal data – even if the EU Commission has found otherwise, in exercising its statutory powers.

Is it now unlawful to transfer personal data to the U.S. under the Safe Harbor scheme?

The CJEU’s decision does not hold that the transfer of data to the U.S. is unlawful. However, the decision means that there is now a high level of legal uncertainty. The CJEU invalidated the legal basis for the Safe Harbor scheme which means that the transfer of personal data under the scheme from any particular EU country to the U.S. might now be held by a national court or regulator in that EU country to be unlawful.

In the case at hand, a complaint was made by Maximillian Schrems, an Austrian resident and Facebook user since 2008, against Facebook Ireland (the European subsidiary of Facebook that contracts with European customers). The complainant asked that the Irish Data Protection Commissioner order Facebook Ireland to suspend the flow of personal data from the EU to the U.S.. Facebook, like many other U.S. companies, relies on the Safe Harbor scheme to meet the requirements of EU law (in this case, as implemented in Ireland) in relation to the transfer of personal data for storage and processing in the U.S..

As a result of the decision of the CJEU, the Irish regulator is now required to investigate the complaint made by Mr. Schrems which alleges that the U.S. does not, by its domestic legislation and international commitments (that is, through the Safe Harbor scheme) ensure an adequate level of protection for personal data transferred to its territory.

Accordingly, the Irish Data Protection Regulator will now have to investigate the facts (including the legal position in the U.S.) and will be required to decide whether to order Facebook Ireland to suspend the flow of personal data to the U.S..

Equally, in view of the invalidation of the EU Commission’s decision on the Safe Harbor scheme, individuals throughout the EU can now file similar complaints to national data protection regulators seeking orders against companies that rely on the Safe Harbor scheme to suspend all data flows under the scheme. Courts and regulators could now hold that any transfer of data under the scheme (at least as of today’s date) is unlawful.

Does the decision spell the end of the Safe Harbor scheme?

Clearly, the scheme in its current form is now untenable. It may be only a matter of time before regulators across the EU will start issuing orders against companies that rely on the scheme to suspend all data flows in reliance on the scheme.

However, the Schrems case is unlikely to bring the scheme to an end. While there are alternatives (which will be discussed below), it is an extremely convenient tool, within the framework of EU law, which offers immeasurable economic benefits to participating companies as well as to the health of the digital economy in the EU and the U.S. in general. It is unlikely that the scheme would be abandoned.

As mentioned above, the U.S. has taken steps to address the privacy concerns that have arisen in Europe and it is currently in final negotiations with the EU commission to modify the Safe Harbor scheme and to address its alleged weaknesses.

Once a new agreement is reached between the U.S. and the EU Commission, it is likely that the Commission will, once again, use its powers under EU legislation and issue a decision recognising that the new agreement ensures an adequate level of protection for personal data transferred from the EU. A new agreement and a decision giving it legal effect in the EU may face new legal challenges, but it is safe to assume that a revised deal would be more difficult to invalidate. A new agreement on the Safe Harbor is therefore likely to restore legal certainty.

How should companies react in the meantime?

Any transfer of personal data to the U.S. under the Safe Harbor scheme can now be held unlawful. Even though there is a reasonable expectation that a new deal will be reached between the EU and the U.S., there is no way of telling how long it will take to emerge. Further, if the parties scramble to find a quick solution, it is more likely that challenges will be brought again it and a higher risk that such challenges might be successful.

It is advisable, therefore, for any companies that have so far relied on the Safe Harbor scheme, to consider the alternatives.

Statutory exceptions  

Companies should  be mindful of the various statutory exceptions to the rule restricting the transfer of personal data to countries that ‘do not ensure an adequate level of protection’ to privacy rights. These exceptions allow the transfer of data, for example, when it is “necessary for the conclusion or performance of a contract” or where “it is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims”. Similarly, there are various other circumstances where the transfer of data outside the EU is exempted from the restriction.

Companies should consider whether (or to what extent) they can rely on these exceptions rather than on the Safe Harbor scheme.

Data subject consent

While the different specific exceptions are unlikely to address the needs of large companies for mass data flows of customer, HR and other personal data that they process, one key exception could be relied on in some cases. That is, where the data subjects consent to the transfer of the date for processing in the U.S. (or any other country).

Many companies prefer not to seek the consent of thousands of individuals, whether customers, employees or other groups. Inevitably, there will be some proportion that would withhold their consent and the process of obtaining consents from numerous individuals may be cumbersome. However, obtaining the data subjects’ consent can be an ideal option in some cases. If the consent is properly obtained, the transfer of the data for processing in the U.S. (or in any other country to which consent was given) will be permitted.

We emphasise, however, that the consent itself must be obtained properly and meet applicable legal requirements that must be assessed on a case by case basis. A transfer of data to a third party is not restricted if it is made with the data subject’s consent. The consent itself can be challenged unless it is obtained properly. For example, in some EU countries, consent obtained from employees could be challenged on the grounds that it was not given freely. In many countries, consent obtained from consumers can be challenged if it is not given independently and on an informed basis.

Data transfer agreements and binding corporate rules

The most convenient alternative to the Safe Harbor scheme, however, is the route that is taken by numerous companies that transfer personal data for processing in the U.S. without signing up to the Safe Harbor scheme. That is, by putting in place “appropriate contractual clauses”.

EU legislation recognises that these contractual arrangements (based on standard language adopted in decisions of the EU Commission) may provide “adequate safeguards” for the transfer of data from the EU to countries which do not, in general, provide for an equivalent level of protection of privacy rights.

While there is no guarantee that the transfer of data under “appropriate contractual clauses” will not be challenged (as discussed below), it may be advisable for any company that currently relies on the Safe Harbor to put in place data export agreements compliant with EU legislation to ensure that its data flows are not held to be illegal. The process is simple and the agreement can be put in place between affiliated group companies. For instance, if it has not done so already, Facebook Ireland would be able to contract with its parent company in the U.S. (or with the relevant U.S. entity that processes data on behalf of Facebook) for the export of data from Ireland (and indeed from the whole of the EU) for processing in the U.S.. This agreement will ensure that its data flows will not be at risk of being held unlawful.

There are a number of different types of standard contractual clauses (or data export agreements) that were approved by the EU Commission and companies will need to consider which ones are appropriate in each case.

The so called “binding corporate rules” for the transfer of data among members of a multinational group are another method that was recognised as a legitimate way of transferring personal data from the EU for processing in countries that do not ensure an adequate level of protection to privacy rights.

Are the alternative routes for transferring data safe?

As mentioned above, in some cases, companies can rely on the statutory exceptions, most importantly, where data subjects’ consent has been obtained. This would be a very safe route to take as long as the validity of the consent cannot be easily challenged.

However, alternative routes such as “appropriate contractual clauses” and “binding corporate rules” are no more immune to legal challenges than the Safe Harbor scheme. In fact, particularly in view of the decision of the CJEU in the Schrems case, individuals and regulators could well decide to challenge these alternative arrangements.

Further, in some EU countries (although not in all of them) the transfer of personal data under a data export agreement (or other alternative methods, such as “binding corporate rules”) requires notification to the national regulator which has the power not to approve the agreement. If regulators believe that the transfer of personal data to the U.S. is unsafe due to the powers and activities of U.S. security agencies, they can refuse to permit the transfer of personal data by alternative methods such as under a data export agreement (notwithstanding that standard language for the agreement has been approved by the EU Commission). Further, regulators in member states will be able to determine that “contractual clauses” for the transfer of data or “binding corporate rules” do not ensure sufficient protection to data transferred to the U.S., for instance due to interference with such data by U.S. security agencies, and could therefore order such data flows to be suspended.

However, from a risk assessment point of view, companies must recognise that the Safe Harbor scheme (in its present form) has now been declared invalid by the highest court in the EU and therefore there is a clear risk that any data flows under the scheme would be held unlawful by national regulators and courts of law. Companies that continue to rely on the scheme could face significant penalties as well as private law suits. By contrast, there has been no determination yet that the transfer of data under an approved data export agreement is unlawful. Until such determination is made, the transfer of data under these agreements will remain lawful.

Longer term considerations

New data protection legislation has been in progress through the European Parliament, the EU member states and the EU Commission for a number of years now. The current drafts of the new legislation do not suggest a significant revision of the rules relating to the transfer of data to third party countries. However, the row following the Snowden revelations and the latest development in the Schrems case may prompt legislators to look further into the issue.

Much will depend on the success of the U.S. government and the EU Commission in reaching a satisfactory agreement that would ensure sufficient safeguards for the protection of privacy rights in respect of data transferred from the EU, while allowing legitimate intelligence gathering and law enforcement activities to continue in a proportionate, supervised and controlled manner.

It is likely that a resolution will be found (although it is impossible to know how soon). However, in the longer term, wider issues may be at play. Concerns for the protection of data and privacy in the digital age are growing, not only in the EU but around the world and among consumers. The free flow of data around the world in this age of cloud computing may come across different obstacles in the future. Governments recognise the economic value of that free flow of data, but consumers, legislatures and regulators are keen on protection. The EU is unlikely to relax its regime for the control of data transfers to third countries. Today the main issue is focused on national security and law enforcement; tomorrow other issues could arise.

Rising concerns over the protection of privacy could spell more controls and more obstacles to business. Already, the current proposals for a new EU data protection legislation suggest a much higher level of regulatory supervision of companies that process large amounts of personal data and the level of effort and investment that the law requires companies to put in order to comply with privacy rules is set to increase substantially. This could also mean that, in the longer term, the free flow of personal data from the EU may become subject to stricter controls and regulations.

At some point in the future, it may become inevitable that data collected in the EU will have to be processed in the EU territory and subject to the laws of the EU. Large companies should consider whether it may be prudent (or simply easier) to set up data centres in the EU to process their customer, HR and similar classes of personal data where they are collected. The legal position, however, has not gone that far yet. For now, alternative measures can be put in place to address the effective suspension of the Safe Harbor scheme and the likelihood is that the scheme will go back into operation sooner or later.

[1] Case C-362/14, Maximillian Schrems v. Data Protection Commissioner

[2] Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data