On 23 September 2015, Advocate General (AG) Bot found that the Safe Harbor framework, which allowed for the "safe" transfer of personal data from the EU to the US, did not provide sufficient guarantees for the protection of the rights of EU citizens. See our previous article on the AG Opinion. The Court of Justice of the European Union (CJEU) has now followed the AG Opinion and declared Safe Harbor invalid.
The CJEU Decision
The CJEU highlighted shortcomings of the Safe Harbor framework, particularly in light of the Edward Snowden revelations. It emphasised that the scheme is only applicable to US undertakings which adhere to it, and that public authorities are not only not subject to it, but that national security, public interest and law enforcement requirements prevail over the scheme and must disregard the protective rules where they conflict with such requirements. The CJEU stated that such disregard can be seen as "compromising the essence of the fundamental right to respect for private life" and that blocking an individual's right to pursue legal remedies in such an instance "compromises the essence of the fundamental right to effective judicial protection".
The CJEU's ruling is final and cannot be appealed. Data protection authorities of the EU Member States will now have to determine whether transfers of personal data to the US pursuant to Safe Harbor are to be suspended on the grounds that the US does not afford an adequate level of protection of personal data. The EU and the US have recently been renegotiating the Safe Harbor framework and this decision will either shake (and speed) up their negotiations or derail them.
Impact on business
Those businesses (approximately 4,500) that currently rely on Safe Harbor will need to reconsider their options for transferring data to the US. Companies operating in more than one Member State will need to monitor the responses to the CJEU decision of all data protection authorities in those states in which they operate, as different authorities may adopt different positions. For example, some data protection authorities may adopt a generous grace period, but some may take a stricter approach.
Although companies should avoid knee-jerk reactions, as a first step current data flows regarding US data transfers should be immediately reviewed and alternative methods of transfer—such as Model Contractual Clauses—should be considered.
After enjoying a "Safe Harbor" for the last 15 years, it seems that companies are now to experience some choppy waters ahead.
Please contact Cooley's London Privacy & Data Protection team, which is led by partners Ann Bevitt, Mark Deem and Sarah Pearce to clarify options in light of the ruling and practical alternatives to suit your business needs. They offer multi-disciplinary depth and breadth of experience to clients in data protection, privacy by design, data breach management, incident response, breach preparedness, and related litigation, especially in large breaches and those with multi-national issues.