On October 6, 2015, the Court of Justice of the European Union (CJEU) issued an opinion that substantially complicates data transfers from the European Union (EU) to the United States. The decision prevents companies from relying on the popular EU/US Safe Harbor Framework. In Schrems v. Data Protection Commissioner, Case C 362/14, the CJEU invalidated European Commission Decision 2000/520. Dating back to 2000, Decision 2000/520 established the Safe Harbor Framework for companies transferring EU citizens’ personal data to the U.S., as long as they complied with standards established by the Safe Harbor. Citing surveillance practices revealed by Edward Snowden, a former contractor of the U.S. National Security Agency, the CJEU found that the Safe Harbor failed to effectively protect the privacy of EU citizens. Further the CJEU clarified that the national data protection authorities of individual EU member-states may investigate and suspend data transfers if they determine that such transfers provide inadequate protection for EU citizens.
EU Directive 95/46/EC prohibits companies from transferring personal data from the EU to the U.S. unless a company elects a sanctioned option for making such transfers.
Who is Affected?
The CJEU opinion affects any company that transfers or desires to transfer personal identification data from the EU to the U.S., including employee and customer data. Over 4,000 companies self-certified as compliant with the Safe Harbor framework. Those companies must either choose a different permissible method for making such transfers or they must cease transferring the data.
What Options do Companies Have?
Model Contractual Provisions – Companies may rely on Model Contractual Clauses, which can be used to establish that EU citizens’ data is adequately safeguarded and thus may be transferred to the U.S. They may use such clauses for intra-company transfers and transfers to third party vendors. It is important that any company agreeing to such clauses understand the obligations and ensure that its privacy program is able to comply.
Binding Corporate Rules – Binding Corporate Rules (BCRs) are another alternative to the Safe Harbor. Companies must develop data security and privacy standards that will establish that they adequately safeguard EU citizens’ data. Once a company has developed BCRs, local data protection authorities must approve the BCRs before the company may rely on them for transfers to the U.S.
Consent – A company may receive opt-in consent from an individual to transfer such individual’s personally identifiable information to the U.S. For consent to be valid, it must be specific, informed, and freely given.
Changing the Location of Data – By maintaining EU data in the European Union, companies can avoid the prohibition of transfers to the U.S. Changing data storage practices and locations is not an option that a company can implement quickly. Rather, it would need to be part of a long-term strategy to change a company’s privacy practices and information technology infrastructure.
New Safe Harbor – The U.S. and the EU are negotiating a new Safe Harbor (Safe Harbor 2.0) framework intended to implement improvements from the original Safe Harbor. Although negotiations are ongoing, there is no deadline set for when Safe Harbor 2.0 will become final. Further, it is unclear whether Safe Harbor 2.0 would resolve all of the issues raised by the CJEU in its decision.
In the wake of the Schrems opinion, any company that previously relied on the EU/US Safe Harbor must decide on an alternative option to ensure that it does not violate EU law by transferring data from the EU to the U.S. There are multiple options available to companies, and all of the applicable stakeholders involved in managing a privacy program (information technology, human resources, legal, executives, etc.) should consider how the entity can best change privacy practices for transfers of personal data to comply with EU law.
For more information please contact Ulmer & Berne’s Data Privacy and Information Security team.