Safe Harbour invalidated by EU Court of Justice

The European Court of Justice (ECJ) has ruled that the Safe Harbour framework is invalid, but what does that mean for business?

According to the European Parliament, more than 3,000 companies currently use the framework for the transfer of data, including firms such as Facebook, Google and Microsoft. The Safe Harbour framework, administered by the US Department of Commerce, enabled US companies to self-certify that they have certain standards for the protection of personal data in place. However, the ECJ said the Safe Harbour framework is invalid as a mechanism to legitimise transfers of personal data from the EU to the US because it does not guarantee adequate data protection.

Many agree that the ruling has far-reaching implications for all businesses, particularly social media networks and other technology businesses that hold or process personal data of EU citizens in the US. While some lawyers believe the ruling will not cause any major disruptions, thousands of companies using Safe Harbour will have to review their data transfer processes.

“The judgement means businesses that use Safe Harbour will need to review how they ensure data transferred to the US is transferred in line with the law,” said David Smith, deputy commissioner at the Information Commissioner’s Office (ICO).

The ICO recognises it will take some time for businesses to do this, he said, noting Safe Harbour is not the only basis on which transfers of personal data to the US can be made. “Many transfers take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure they are complying with the law related to international transfers,” said Smith. However, the ICO will work with other data protection authorities in Europe and issue further guidance for businesses on the options open to them, according to Smith.

“The ruling does not mean there is an increase in the threat to people’s personal data, but it does make clear the important obligation on organisations to protect people’s data when it leaves the UK,” he said.

Christopher Jeffery, head of UK IT, telecoms and competition at international law firm Taylor Wessing, said the ECJ ruling forces US companies that need to take personal data from the EU down other compliance routes. “There are alternatives to Safe Harbour, but for most companies they take time and money to put in place. That will be an unwelcome distraction – no one was preparing for the abrupt disappearance of Safe Harbour,” he said. Although some commentators have raised the prospect of mass enforcement action against every US company signed up to Safe Harbour, Jeffery believes this is unlikely. “We expect the more pragmatic regulators to allow companies time to re-organise their compliance programmes,” he said.

However, Jeffery said in countries such as Germany – where Safe Harbour has long been regarded with suspicion – the regulators may not be so generous.

“They may feel concerns about Safe Harbour have been well-flagged and so businesses should have made alternative arrangements by now,” he said.

According to Jeffery, the key message to businesses is to “get on it” immediately.

“Getting model clauses signed, for instance, between affiliates and with key external suppliers should be relatively straightforward and helpful to show they are taking the issue seriously – go for the low-hanging fruit early to show a desire to move towards fuller compliance. Organisations that are slow to react and are seen to be doing nothing risk attracting regulator attention – and that will likely not end well,” he said.

Deema Freij, deputy general counsel and global privacy officer at Intralinks, said any company using Safe Harbour will need to evaluate how it protects personal data, as well as re-evaluate governance, risk and compliance processes to meet international data transfer requirements to the US without Safe Harbour being part of the mix.

“In anticipation of this ruling and because of the criticism Safe Harbour has received in recent times, many companies have already begun using model contracts as a means of meeting international data transfer requirements,” she said.

However, Marc Dautlich, information law partner at legal firm Pinsent Masons, warned that while companies are able to adopt model clauses or implement binding corporate rules (BCRs) to help them meet the adequacy standards of EU data protection laws when transferring personal data outside of the EU, both options could now come in for scrutiny for similar reasons to those highlighted in relation to the Safe Harbour agreement.

Mahisha Rupan, data protection and privacy senior associate at technology law firm Kemp Little, also noted that BCRs only work for intra-group data transfers.

“Model clauses will need to be put in place between each data exporter and each data importer, which may be prove to be impractical where a US company has thousands of EU-based customers,” she said.

Consent of the individual may also be used to justify certain transfers to the US, said Rupan. “But consent is tricky as it must be specific, informed and freely given,” she added.

Robert Lands, partner and head of intellectual property at law firm Howard Kennedy, said the ruling means extra due diligence into service providers will need to be conducted, as many companies outsource their human resources, payroll and other tasks involving personal data about customers or staff.

“European businesses using software supported from the US need to be wary. Remote access can often allow a technician to view personal data in the US, meaning a transfer of personal data can occur. A more transparent and accessible approach should be taken to data sharing,” said Lands.

“Obtaining explicit consent to justify transfers and creating new agreements between companies that share data may be further ways of meeting the requirements of the Data Protection Directive,”  he said.

Bharat Mistry, cyber security consultant at Trend Micro, said US companies will have to look at local operations to process data.

“This is a good thing as it restricts data flow to within the EU or local country borders, therefore resulting in tighter control and enforcement by the EU and additional investment into Europe in the form of extra jobs in data processing,” he said.

In terms of the impact on businesses, Mistry said it will be niche startups or companies outside of EU borders – where the EU deems the data protection controls/laws do not meet its standards – that will suffer most.

“The large-scale social media companies with a presence inside EU borders will be able to access the data. Overall, the ruling is positive as the more distributed the data, the higher the chance of a breach,” he said.

Ashley Winton, UK head of data protection and privacy at international law firm Paul Hastings, said companies should also be mindful of another recent landmark case against Slovakia-based property website Weltimmo.

The ECJ’s ruling on 1 October 2015 is also expected to have far-reaching implications for tech giants processing data in Europe.

According to the ruling in favour of the Hungarian data protection authority, companies that have websites translated into another language – targeting consumers of European member states – may now have to comply with the regulations in each individual member state.

“Multinational companies that have elected to create an establishment in a more business-friendly jurisdiction are now likely to have their data protection practices scrutinised by local regulators across the EU,” said Winton.

“There are currently no rules limiting individuals bringing complaints regarding data protection across multiple jurisdictions simultaneously, so we may now see these complaints springing up from every direction,” he said.

Antony Walker, deputy CEO at techUK, said the ruling will cause real confusion and uncertainty for all sorts of businesses that need to transfer data between the EU and US.

“Businesses will be looking to the European Commission and national data protection authorities to steady the ship and provide clarity on what they need to do to ensure their transatlantic data transfers are lawful,” said Walker.

“This is a big issue for many small businesses as they will be faced with the time-consuming and costly task of working through the full legal implications. The ability to transfer data lawfully across borders is fundamental for a growing and dynamic digital economy. Businesses need stability and certainty in the legal framework to enable this to happen,” he said.

Following the ECJ’s latest ruling, Claude Moraes, chair of the European Parliament’s Civil Liberties Committee, called for the immediate suspension of the Safe Harbour agreement and the initiation of a secure data protection framework that will guarantee the rights and privacy of European citizens.

“Compared with the strong, enforceable data protection legislation in the EU, Safe Harbour offers completely inadequate protection for EU citizens using services from US companies,” said Moraes.

“The Snowden disclosures threw these inadequacies into the spotlight as Safe Harbour does not provide any protection from mass surveillance activities because it contains a national security exemption that has never been clarified,” he said.

However, Moraes said there were also concerns prior to the Snowden revelations given that Safe Harbour is a non-binding agreement that lacks compliance by companies and gives no possibility for citizens to enforce their rights.

The decision by the European Court of Justice to declare the Safe Harbour agreement invalid forces the European Commission (EC) to act to ensure transatlantic transfers of personal data of EU citizens to companies in the US offer the continuity of protection required by EU law, according to Moraes. It also means the EC will have to come up with an immediate alternative to Safe Harbour, he said.

“The Commission has been in negotiations with the US for more than a year on improving the framework, but we have still received no update on these discussions,” said Moraes.

He called on the EC to put forward a complete and strong framework immediately for transfers of personal data to the US that complies with requirements of EU law as enshrined in the Charter of Fundamental Rights and EU data protection rules. The framework should also provide EU citizens with solid, enforceable data protection rights and effective independent supervision.

Responding to ruling the EC said it was an important step towards upholding Europeans’ fundamental rights to data protection.

“I see this as a confirmation of the European Commission’s approach for the renegotiation of the Safe Harbour agreement,” said EC first vice-president Frans Timmermans.

“We have already been working with the American authorities to make data transfers safer for European citizens. In light of the ruling, we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic,” he said.

In the meantime, Timmermans said transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under EU data protection law.

He also promised “clear guidance” for national data protection authorities on how to deal with data transfer requests to the US.

While this ruling is widely considered to be significant, few believe the day-to-day operations of most companies will change significantly, particularly in light of the EC’s statement.

However, Austrian privacy activist Max Schrems – who brought the initial case against Facebook that was referred to the ECJ and resulted in the ruling on the Safe Harbour agreement – said US companies that aided US mass surveillance, such as Apple, Google, Facebook, Microsoft and Yahoo, may face serious legal consequences from this ruling when data protection authorities of 28 member states review their co-operation with US spy agencies.