UPDATE: On 16 October 2015 the Article 29 Data Protection Working Party released a statement in the wake of the CJEU’s landmark declaration that the US – EU Safe Harbour is invalid. The Working Party recognises that it is “absolutely essential to have a robust, collective and common position on the implementation of the judgment,” and urges EU Member States to open up discussions with US authorities in order to find a solution which will enable the free flow of data between the EU and US. You can read the press release here.
In a landmark decision, the European Court of Justice (CJEU) has ruled that the EU-US Safe Harbour agreement, which has facilitated the transfer of personal data between the EU and US for the past 15 years, is invalid.
The EU has long set a high watermark for the protection of personal data, particularly when it comes to cross-border information flows. Specifically, the EU Data Protection Directive (95/46/EC) provides that personal data can only be transferred to countries outside the UE, if that country’s laws provide an ‘adequate’ level of data protection, or the recipient can guarantee that the data will be adequately protected. The US, which does not have a formal data protection regime, falls well short of an adequacy finding under the EU Directive. Yet, it is home to some of the biggest tech companies in the world – Facebook, Google and Apple to name a few.
The Safe Harbour agreement was introduced to balance the EU’s high standard of data protection, and the obvious utility of facilitating the free flow of information to and from the US in an increasingly online global economy. In short, it enabled the transfer of data from the EU to US organisations, where those organisations were certified as being compliant with the Safe Harbour principles.
The Safe Harbour Under Scrutiny
When Edward Snowden famously leaked evidence of mass surveillance by the US National Security Agency, the Safe Harbour inevitably came under scrutiny. Snowden’s revelations demonstrated that while the Safe Harbour scheme provided certain protections for personal data of EU citizens in the hands of US companies, it could not keep that data safe from wide scale surveillance by the US Government.
Subsequently, Austrian law student Max Schrems lodged a complaint against Facebook to the Irish Data Protection Authority, on the basis that the US government’s allegedly indiscriminate surveillance activities meant that his personal Facebook data was not ‘adequately’ protected under the Safe Harbour regime. The CJEU, the highest court in the EU, agreed with Schrems.
Where to now?
The CJEU’s decision has effectively pulled the rug out from underneath the thousands of businesses in the EU and US relying on Safe Harbour certification to transfer personal data across the Atlantic. To give some context, at the time the CJEU declared the Safe Harbour invalid, there were over 4,500 US companies certified under the scheme. Considering the vast amounts of data transferred between the EU and US on a daily basis, the impact on these organisations, particularly smaller businesses, will be significant.
The effect of the decision is immediate, so IT and legal teams across the EU and US will be scrambling to put alternative arrangements in place, to ensure current business practices remain legal. Organisations will need to look closely at their data-sharing processes, and assess the options available to them.
There is no denying that it is necessary to preserve the free flow of data between two of the biggest economic powers in the world – there are already talks of pushing forward with a new and improved Safe Harbour scheme. The CJEU decision means, however, that in facilitating such data flows, data privacy must be a priority.