You say Safe Harbor, we say Safe Harbour, let’s call the whole thing off?

US and EU flag joined cables - banned Schrems v Data Protection Commissioner: C-362/14 [2015] All ER (D) 34 (Oct)
The Court of Justice of the European Union recently delivered a landmark judgment, essentially invalidating the existing Safe Harbor framework agreement between the EU and the US. Mark Watts, partner at Bristows, along with associate Hannah Crowther, consider the implications of this decision.
What is the significance of the CJEU's ruling?
The Safe Harbor Framework, agreed in 2000, permitted the transfer of personal data from the EU to the US, provided the US recipient of the data was registered with the Safe Harbor scheme. The European Commission had issued a decision that using Safe Harbor provided an ‘adequate level for protection’ for the data, as required by the Data Protection Directive, art 25. After an Austrian student, Max Schrems, challenged Facebook’s transfers under Safe Harbor, on 6 October 2015 the CJEU ruled that the Commission’s decision was invalid. As a consequence, any transfers of personal data to the US which are reliant on Safe Harbor alone (and not on any of the other mechanisms or derogations) are unlawful.
On what basis did the CJEU make its ruling?

The CJEU declared the Commission’s adequacy decision invalid on two grounds:

  • that the Commission did not, in fact, state that the Safe Harbor framework ensured an adequate level protection, by reason of the US’s domestic law or the international commitments it has entered into (as the Commission was required to do under the Data Protection Directive, art 25(6)); and
  • the powers granted to the European Data Protection Authorities (DPAs) under the Safe Harbor decision to suspend data flows to the US were too restrictive—the Commission is not empowered to limit DPAs’ powers in this manner, and thus the Commission had exceeded the discretion given to it under the Data Protection Directive, art 25(6).
To what extent, if any, did the CJEU depart from the Advocate General's (AG) Opinion?

In contrast to the AG’s Opinion, the court did not find that the DPAs could themselves decide that a Commission adequacy decision was invalid, and suspend transfers accordingly. The court emphasised that only it had the power to declare an EU act invalid.

However, a DPA which receives a complaint from an individual questioning an adequacy decision must carry out an investigation and, if it considers the complaint has merit, should refer the matter to its national courts to request a preliminary ruling from the CJEU. For a discussion on the AG’s Opinion see LexisPSL IP & IT News Analysis: Safe Harbor not so safe?

What does this mean for the Safe Harbor regime?

Although the Safe Harbor framework agreement between the EU and the US still exists, in the absence of an adequacy decision, registration with Safe Harbor has essentially no purpose or effect.

However, shortly after the Snowden revelations, the Commission and the DPAs agreed that Safe Harbor needed improvement, and the US and the EU have been working on its renegotiation. Rumours are that this ‘Safe Harbor 2.0’ is expected to be put before the EU Parliament for its agreement shortly. It seems highly likely that more information will quickly emerge about Safe Harbor 2.0, and hopefully the CJEU’s ruling will speed up its progress.

What are the practical implications now the decision has been handed down?

Provided organisations are proactive in reaching a solution, we think it highly unlikely the DPAs will begin any enforcement action in the immediate future. Once the DPAs and the Article 29 Working Party have released their response to the CJEU decision, we should have a better idea of what organisations are expected to do.

However, companies should consider the alternative transfer mechanisms and which of these would be most suitable for them. This could be the Commission’s standard contractual clauses, bespoke clauses approved by the DPAs, binding corporate rules, or one of the permitted derogations in the Data Protection Directive, art 26 (such as consent or performance of a contract).

Model clauses are clearly the quickest solution, but they should be read with care as they do contain some fairly onerous obligations, particularly in respect of sub-processing. Binding corporate rules can be a good solution for large organisations, but could take one or two years to put in place. Finally, organisations should exercise caution before falling back on consent, as the DPAs have always taken a very narrow view on the scope of consent to data transfers.

Mark Watts specialises in IT legal issues including many high-profile private and public sector outsourcing transactions. Mark advises companies deploying business critical IT platforms and applications, as well as advising on the creation of social networking websites, cloud computing, mobile apps and online trading websites. Mark has particular expertise in data protection and was global privacy counsel at IBM for many years.

Hannah Crowther is an associate in the commercial IP/IT team, specialising in data protection, e-commerce and commercial IT. Hannah’s practice involves advising on a wide variety of data protection issues, ranging from enterprise-wide compliance projects and binding corporate rules, to responding to individual subject access requests or complaints.

Interviewed by Alex Heshmaty. The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

This article is republished with kind permission of WIPIT’s sister site, Lexis®PSL IP & IT. For a free trial click here.

Area of Interest