In a 35-page ruling, published on October 6, 2015, the Court of Justice of the European Union has declared the EU-US Safe Harbor invalid. This means that the data transfers between European companies and the 4500+ US companies that have self-certified to their adherence to the EU-US Safe Harbor principles no longer have a legal basis and are exposed to the scrutiny of 31 Data Protection Authorities of the European Economic Area (EEA) Member states.
The CJEU ruling comes after lengthy proceedings initiated by an Austrian law student against Facebook, arguing that the transfer of his personal information from Austria to Facebook’s California servers under the protection of the Safe Harbor violates his rights. The original complaint argued that, based on the information provided by Edward Snowden regarding the mass surveillance powers of US National Security Agency, the United States offers no legal protection against data surveillance, and the powers of the US law enforcement agencies supersede the promises made in a company’s Safe Harbor self-certification.
The CJEU went beyond the specific question that had been raised in the Facebook case. It held that Article 3 of Decision 2000/520 (which allowed for the creation of the Safe Harbor) is invalid. And, because Article 3 of Decision 2000/520 is inseparable from the other provisions of Decision 2000/520, the invalidity of Article 3 invalidates Decision 2000/520 in its entirety.
As put simply and very concisely in the last line of the CJEU 35-page ruling: “Decision 2000/520 is invalid.”
What does this mean for US companies and their subsidiaries and trading partners located in the 31 Members States of the European Economic Area?
It means great uncertainty. There are long term and short term issues:
- What to do immediately;
- Whether this means a future with a series of data localization restrictions resulting in countries or regions adopting a silo approach to data storage.
First, the legal basis of the EU-US Safe Harbor on which EEA companies had relied to transfer data to the United States has been declared invalid. However, the decision does not affect the Switzerland-US Safe Harbor. Thus transfers between Switzerland and the United States can continue under the existing Swiss-US Safe Harbor regime.
In the meantime, EEA data protection laws continue to prohibit the transfer of personal data outside the EEA territory unless there is a legal basis to show that the data, when on the US territory will benefit from the same protection as in the EEA.
There may be temporary work around. There are other approved methods to achieve the “adequate protection” required by the EEA data protection laws. For example, EU and EEA companies may decide to enter into contracts based on Standard Contractual Clauses approved by the European Commmission. This might be the fastest and most efficient way to react in the short term. But before this solution may be implemented, significant due diligence must be performed, and many parties must agree to the applicable terms. The terms of the Standard clauses crease stringent restrictions and significant liabilities for which US companies may need additional insurance coverage. Multi-national entities may attempt to obtain approval of BCRs (“Binding Corporate Rules”) for their internal transfers. But there are significant hurdles. For example, currently, only 21 out of the 31 EEA countries recognize Binding Corporate Rules. Further, the process for approval of a set of BRCs may take one to two years from beginning to end..
Long Term Issues
A much more fundamental question remains. What happens to EEA data when they are stored on US territory? And will the NSA surveillance activities continue to create heartburn for EEA citizens and institutions?
The argument initially raised in the Facebook case was that the Snowden revelations raised concern about whether, in spite of a series of laws regulating government access to data and communicants, the US legal framework offers no actual protection against excessive surveillance by US law enforcement agencies.
In its 35-page analysis, the CJEU repeatedly asserts that personal data when on the US territory is subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard … without limitation” the prospective rules laid down by the Safe Harbor when they conflict with US national security and public interest. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights.
The invalidation of the 2000/520 Safe Harbor Decision does not solve this issue. Data transferred from the EEA to the United States under BCR or Standard Contractual clauses would suffer the same fate.
A world of silos?
The CJEU Decision in the Facebook case raises a much more fundamental question regarding cross border data transfers. It is not just the Safe Harbor program that is at stake. It is the entire framework of model clauses, binding corporate rules and other methods that are currently used to address the “adequate protection” requirement under EU Member State data protection laws that is at stake.
Will the special powers granted to – or used by – law enforcement agencies in the US create such an obstacle to crossborder data transfers between the EEA and the US that US companies will have no choice but setting up data centers in the EEA, in order to store their EEA customers’ data within the EEA territory in an attempt to reduce the risk of being within the reach of the long arm of US law enforcement agencies?
And will this trend, combined with other data localization laws, such as the one in Russia, create a world of data silos? Will localization laws become the norm?
Is it already too late?