The European Court of Justice (ECJ), the highest legal authority in the European Union, struck down the European Commission’s 15-year-old Safe Harbor agreement October 6, 2015 due to concerns that the framework does not sufficiently protect EU citizens’ personal data. The decision is not appealable. The decision was based primarily on the U.S. government’s ability to access such data through various surveillance laws. The Court’s press release explained that that such generalized access “to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life,” especially without a sufficient opportunity for a harmed individual to pursue legal remedies.
The ruling requires national data protection authorities (DPAs) to hear and resolve individual complaints regarding the adequacy of data protection when data is transferred from the EU to the U.S. The DPAs can no longer rely on the Safe Harbor agreement to govern their decisions and they will be required to investigate these complaints. The ECJ ruling itself does not provide for a transition period, raising the possibility that EU citizens may continue bringing privacy challenges against companies in the EU that relied on the Safe Harbor framework to transfer personal information to U.S. companies, including affiliates, contractors, and vendors.
However, companies considering making immediate changes to their data import (or export) programs should take some reassurance from rumors that EU officials will grant a formal grace period (perhaps between 12 to 18 months) before any enforcement efforts take place, though the existence and conditions of the grace period have not been confirmed. Moreover, the DPAs and the Article 29 Working Party report that they will develop guidance, and DPAs presumably understand that it will take time for companies that are currently certified—and companies that transfer data to them—to adopt a new strategy. In addition, EU and U.S. government officials have been negotiating to update the Safe Harbor framework, which may address the ECJ’s concerns, and there is some hope that this decision will accelerate those efforts. For all of these reasons, absent immediate business pressures (which some data importers already have begun to face), there is good reason for companies to wait and see what guidance emerges, and how their customers and business associates or data partners intend to react.
Notwithstanding all of these considerations, companies that feel business (or legal) pressure to take immediate steps in the interim have a small number of options (all of them somewhat imperfect) to improve their status as data exporters or importers, including:
- Companies can begin using model contracts (unmodifiable, but slightly customizable, templates approved by the European Commission) relatively quickly, allowing for a smooth transition and limited interference with business operations. However, these contracts, while not invalidated by the ECJ, arguably suffer from some of the same potential defects regarding government access to personal data. Moreover, model contracts contain requirements not imposed by Safe Harbor (such as audit rights), and selecting from the available contracts requires importers to take a stance on issues that they previously may have managed through strategic ambiguity, such as their status as a controller or processor under EU law.
- Binding Corporate Rules (BCRs) are another option for some companies, but these are at best a half-solution, because the development and approval process is a lengthy one.
- Another potential option is to restructure data flows so that companies keep EU data in the EU (such as at an EU affiliate) but do not make this data accessible from the U.S. Careful consideration should be given to the location of the processing in the EU. Complex rules govern which EU member state’s laws apply to data processed by an entity located in the EU, and some laws are more advantageous than others.
