EU-U.S. Safe Harbor for Data Transfer Sunk

By By Allen Smith Oct 8, 2015

The Court of Justice of the European Union—the highest court in the EU—has torpedoed a safe-harbor mechanism used since 2000 by 4,500 U.S. companies to transfer business information such as payroll and customer data in compliance with EU privacy rules. Employers must consider how they will transfer this information now; alternative solutions are available, but some of them may be short-lived.

The safe-harbor framework was a legal instrument based on an agreement reached between the EU and the United States in 2000, according to DigitalEurope, an advocacy organization for the digital economy based in Brussels.

“We urgently call on [the EU’s executive body] the European Commission and the United States government to conclude their long-running negotiations to provide a new safe-harbor agreement as soon as possible,” said Peter Olson, president of DigitalEurope. “We also call on the European Commission to immediately issue guidance to companies operating under the safe-harbor framework to ensure that essential and routine commercial activities can occur during the current legal vacuum.”

U.S. Secretary of Commerce Penny Pritzker said the United States was “deeply disappointed in [the Oct. 6] decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.” She added, “The court’s decision necessitates release of the updated safe-harbor framework as soon as possible.”

Facebook User Brought Suit

The case originated from a lawsuit brought by Maximillian Schrems, an Austrian Facebook user since 2008. As is the case with other Facebook users residing in the EU, some of the data Schrems provided to Facebook was transferred from its Irish subsidiary to servers located in the United States, where it was processed. (Facebook is headquartered in Menlo Park, Calif.)

Schrems lodged a complaint with the Irish supervisory authority the Data Protection Commissioner, saying that in light of former National Security Agency worker Edward Snowden’s revelations on the activities of U.S. intelligence services, the United States does not offer sufficient protection of transferred data against surveillance by public authorities. The Irish authority rejected the complaint on the ground that under the safe-harbor provision, the United States ensures adequate protection.

Safe Harbor Ruled Invalid

However, the Court of Justice of the European Union ruled that the existence of the safe harbor, as drafted, could not reduce the powers available to national supervisory authorities in each EU nation to protect personal data.

In establishing the safe harbor, the European Commission was required to find that the United States ensures a level of protection of fundamental rights equivalent to those guaranteed within the EU, according to the court. But the commission did not make this finding. National security, public interest and law enforcement requirements of the United States prevail over the safe-harbor mechanism, so that United States agencies may disregard the protective rules set out in the safe harbor.

The safe harbor is invalid, the court concluded. It found that data is transferred from the EU to the United States without any criterion for determining the limits of the access of public authorities to the data. Laws in the United States permitting the government to have access to the content of electronic communications compromise the essence of the fundamental right to respect for private life, the court added.

Schrems welcomed the decision, saying it will hopefully be a milestone for online privacy. “This judgment draws a clear line. It clarifies that mass surveillance violates our fundamental rights. Reasonable legal redress must be possible.” He added, “The decision also highlights that governments and businesses cannot simply ignore our fundamental right to privacy, but must abide by the law and enforce it.”

But Richard Cumbley, an attorney with Linklaters in London, said, “Safe harbor is by some measures the most successful U.S.-EU trade deal ever. It’s used by nearly 4,500 U.S. businesses, and indirectly by tens of thousands—maybe more—of their EU customers. Each of those U.S. and EU businesses is now going to have to scrabble to find an alternative approach to transfer personal data across the Atlantic. They have maybe a few weeks to do so.”

Alternatives to Safe Harbor

Model contracts, which are data-protection agreements approved by the European Commission and signed by U.S. suppliers, are one alternative. “Thousands of these contracts have been signed since they were created,” Cumbley noted. “But they suffer from the same problem as the safe harbor, so although model contracts remain a sound compliance approach today, they probably have a limited life span. It’s best to think of them as a Band-Aid.”

An EU regulator in Hamburg, Germany, already has announced he will review model contracts.

A longer-term fix would be if the United States and EU were to agree to a new safe harbor. “Part of that will likely involve the passing of the Judicial Redress Bill in Washington,” D.C., Cumbley observed.

Some large companies also have agreements with European regulators called binding corporate rules that allow them to share data globally without using safe harbor or model contracts. Like the safe harbor, binding corporate rules are designed so that companies can avoid having to approach each individual protection authority in each EU nation separately.

However, the binding corporate rules are more expensive than the safe harbor. Whether businesses adopt more binding corporate rules “depends a lot on how long model contracts survive and the success in negotiating a safe-harbor replacement,” Cumbley concluded.

In a statement, Facebook said that it, “like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the U.S. from Europe, aside from safe harbor. It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.”

Brian Hengesbaugh, an attorney with Baker McKenzie in Chicago, said that as a result of the decision, U.S.-headquartered employers that rely on safe harbor for receipt of European employee data should:

  • Evaluate where and how they use the safe-harbor mechanism, both in upstream receipt of data and downstream disclosures to third-party vendors.
  • Determine how or whether alternative mechanisms such as model contracts might be helpful to permit the data flows.
  • Prepare and implement the alternative solutions.
  • Consider whether longer-term solutions might be appropriate, such as binding corporate rules.

“It will be necessary to revisit data-transfer mechanisms in the short to medium term,” Hengesbaugh said. “Some of that may involve renegotiation or discussions with works councils or employee representatives, or data protection officers and authorities, and may require a revisiting of global applications and data flows.”

European works councils represent a company’s European employees. Cumbley remarked that in locations where works councils are troublesome, the decision will be “one more thing to worry about.”

Allen Smith, J.D., is the manager of workplace law content for SHRM. Follow him @SHRMlegaleditor.

Job Finder

Find an HR Job Near You
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect