ECJ today declared the EU-US Safe Harbor Agreement to be void: What should you do?
On 6 October 2015 the European Court of Justice (ECJ) announced its judgement in the case of Schrems v. Facebook and, to a large extent, followed the recent recommendation of the Advocate General. The consequences of this decision are severe and are not limited to Facebook or other Internet giants, but practically raises serious concerns for most parts of the European economy. All enterprises should assess the need to react.
Background: European enterprises use a multitude of services, software and other services from providers in the US. Within company groups, data need to be share, e.g. for HR planning. Personal data frequently has to be transmitted or fed into the systems for these purposes, e.g. for customer management or personnel administration purposes. Severe requirements have to be met for data transfers to countries outside of Europe, to ensure an adequate level of protection by the recipient. Various EU Commission decisions offer solutions to meet these requirements. One of these is the Safe Harbor Agreement which, with respect to the USA, applies those US enterprises which certify themselves correspondingly in the USA and permits data transfers to such entities. By other EU Commission decisions some countries are accepted in general to be “safe” (e.g. Switzerland or Argentine) or Model Clauses have been approved. As a consequence of mass surveillance in the US, the lawyer Max Schrems filed a complaint against Facebook that transfers personal data to the USA based on Safe Harbor. The Irish High Court asked the ECJ whether the Irish data protection authority must review this complaint.
The decision on Safe Harbor: The ECJ followed the Advocate General’s proposal to declare the Safe Harbor Agreement to be void (going beyond what was asked by the Irish High Court). And the consequences of that are drastic: All data transfers made solely on the basis of the present Safe Harbor Agreement may become invalid with immediate effect (unless an adequate level of protection can be based on other instruments). Data protection authorities now could imposed fines or orders to stop the respective data transfers – which could stop substantial parts of the data processing of the German economy. We believe that such drastic consequences by the German data protection authorities without a prior warning are unlikely.
Consequences for other Commission instruments: The ECJ furthermore decided that national supervisory authorities have the power to independently assess the adequacy of the protection, including the protection granted by (binding) EU Commission decisions. The consequence will be the occurrence of a hotchpotch of different opinions by regulators across Europe. The German data protection authorities already made their position clear in a press release in July 2013: Data transfers on the basis of EU-US Safe Harbor and EU Model Clauses should be prohibited. However, the ECJ clarified, which was not clear from the recommendation of the Advocate General, that national regulators cannot deviate from, respectively suspend, legally binding EU Commission decisions: They must seek a court to decide, which then has to ask the ECJ, which exclusively has the power to decide on the validity of EU Commission decisions. This at least, for a certain time, protects the trust of participants in other EU Commission decisions.
ToDos for companies: We recommend that you should use the time to check if your company is affected and react correspondingly. First of all, you should assess if there are any data transfers to the US that are made solely on the basis of Safe Harbor. In those case, you should approach your business partners and discuss the alternatives: One option, currently still are the so-called EU Model Clauses that can be concluded with recipients in the US. While these are also based on an EU Commission decision with similar weak (and substantial) points, the ECJ today did not decide on those and clarified that the data protection authorities might not do so. At least for the future, though, it needs to be seen how the regulators, and later on the ECJ again, will react. Hopefully, the new Safe Harbor Agreement, that the EU Commission is currently renegotiating with the US, meets the concerns of the ECJ. For group internal data transfers, Binding Corporate Rules will play an even more important role. In any event, the future developments around these instruments are to be carefully watched.
We are happy to assist you when implementing the next steps. Please feel free to contact us.
Dr. Jürgen Hartung