ECJ Declares The EU-US Safe Harbour Agreement Invalid

A popular method of exporting personal data to the US has been invalidated by the European Court of Justice.

Any export of personal data outside the EEA must be done in accordance with the Data Protection Act 1998 (and equivalent legislation around Europe).  The Safe Harbour scheme is used by a large number of businesses to export data to the US.  Safe harbour is a self-certification scheme agreed by the European Commission and the US Department of Commerce and sets out minimum standards for the processing of personal data.  Safe harbour is used to demonstrate that the personal data will get adequate protection in the US. 

This scheme has been invalidated with immediate effect by the ECJ.  The Court ruled that the scheme did not provide adequate protection for personal data.

Why was Safe Harbor challenged?

The case was brought about by privacy campaigner Max Schrems following the Snowden revelations.  Mr Schrems had a Facebook account with the European arm of Facebook, headquartered in Ireland.  Facebook shared data with its US counterpart and Schrems objected as he was concerned that US security services would get access to his personal data.  He requested that the Irish Data Protection Commission audit material that Facebook might be passing on. The Commission declined to do this because it said that the export of the personal data was permissible under Safe Harbour.  The matter therefore went to the ECJ.  Schrems argued that since Facebook data was subject to mass surveillance by US intelligence agencies, Safe Harbour did not offer an adequate level of protection.

The ECJ decision follows a legal opinion from Advocate General Yves Bots, an advisor to the court, arguing Safe Harbour should be struck down. "The surveillance carried out by the United States intelligence services is mass, indiscriminate surveillance," Bots said. "In those circumstances, a third country cannot in any event be regarded as ensuring an adequate level of protection."

Consequences of the ruling?

Personal data should no longer be transferred to US firms solely on the basis that they are Safe Harbour certified. Although the Schrems case arose from a complaint about Facebook it applies to all transfers of personal data to the US under Safe Harbour and has far-reaching consequences - thousands of businesses rely on Safe Harbour as a means of moving information to the US from Europe and companies will now have to look to putting replacement measures in place.

The ruling affects both businesses with operations in the US and businesses who use third party services provided from the US particularly where cloud computing or SaaS is used.

The court judgement does not give firms a grace period to revise their arrangements for transfer of personal data to the US.  However, the UK Information Commissioner’s Office has stated today that it recognises that it will take businesses some time to review their compliance with the law and as such is unlikely to take enforcement action immediately.

There are other options for ensuring compliance, however whilst it would technically be possible to use other mechanisms such as approved contractual clauses to legitimise the transfer they are likely to be vulnerable to similar arguments as those made in this case and as such, while they may work as an interim measure, they are unlikely to provide long term protection.  Businesses could legitimise the transfer of data from the EU to America by directly seeking the consent of the data subject. However, this could be extremely difficult to do retrospectively in respect of data which has already been transferred. Also, consent can also be withdrawn at any time which gives rise to practical difficulties in relying on it.

The EU and the US have been in negotiations for some time in relation to an updated Safe Harbour system.  This ruling may impact on those negotiations. The EU has said it would only finalise the agreement if Europeans are given the right to sue US companies in American courts for misusing their data. The US seemed ready to agree, but it is possible that its politicians will retaliate against the ECJ's ruling by refusing to grant the privilege.

The European Commission and national regulators are holding emergency meetings to consider their response.  The European Commission is giving a press conference later today and we await their explanation on how it plans to react to the ruling.

Expert Opinion

“This decision opens up a huge can of worms for businesses who trade with the US or even those who just have cloud solutions with US providers. The Commission needs to act quickly to come up with a workable alternative to minimise interruption to potentially thousands of businesses in the UK.” Joanne Bone - Partner