On October 6, 2015, the Court of Justice of the European Union (CJEU) issued a decision that invalidates the current U.S.-European Union Data Protection Safe Harbor Framework. The Safe Harbor Framework, which the EU Commission had determined 15 years ago provides adequate protection for personal data transferred from the EU to the United States under the EU’s data protection directive (Directive). More than 4,000 US based businesses have relied upon this framework. The decision might well impact US multinational companies that have relied on the safe harbor to move data from the EU to the United States for review as part of an internal investigation. Thus, the CJEU decision is a radical upset to the daily operations of thousands of companies involved in the movement of significant amounts of personal data across transatlantic borders.
The CJEU decision stemmed from a challenge lodged by a European Facebook user to the Irish data protection authority (DPA). The challenger claimed Facebook transferred some or all of his Facebook data from Facebook’s EU-based servers in Ireland to its US servers and alleged, parroting a largely debunked allegation of Edward Snowden from 2013, that the NSA had unrestricted access to data stored on Facebook’s servers. After the Irish authority dismissed his complaint, ruling that under an EU Commission decision, the Safe Harbor Framework gave the claimant enough protection under the Framework, his appeal ultimately wound up at the CJEU.
In its blockbuster decision, the CJEU first invalidated the EU Commission’s decision that the Safe Harbor Framework was adequate. The CJEU found that because the EU Commission’s decision approving the Framework provides an exception for “‘national security, public interest, or law enforcement requirements’ . . . “[US] public authorities . . . have access on a generalised basis to the content of electronic communications” and that these authorities “must be regarded as compromising the essence of the fundamental right to respect for private life.”
In perhaps a more significant development in the long run, as part of its reasoning the CJEU held that “the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities.” In other words, DPAs are required to assess independently the compliance with the Directive, and an EU Commission decision does not prevent a DPA’s continuing oversight of transfers of personal data to third countries.
As an immediate practical matter, the CJEU judgment does not prohibit transfers of personal data from the EU to the United States. But it does preclude reliance on the Framework as the legal basis to make such transfers consistent with the Directive. Therefore, businesses that relied on the Safe Harbor to legitimize those transfers will need to re-assess their options for compliance with the Directive. The decision also underscores the need for U.S. companies—and the U.S. government—to engage in the public dialogue necessary to build trust across the Atlantic and to clarify the meaning and application of U.S. law to US law enforcement and intelligence activities.
The EU Commission has publicly indicated that it is planning to release “clear guidance” for DPAs in the wake of the ruling. Yet, guidance coordinated with the DPAs would be more helpful, as the CJEU’s decision has undermined the EU Commission’s ability to speak authoritatively on this issue. Meanwhile, many of the DPAs have announced publicly that they are taking time to consider fully the implications of the CJEU judgment. Businesses should do the same, but should not delay in taking steps to address how to best deal with EU-to-US transfers of personal data in accordance with the Directive without reliance on the Safe Harbor.