Alert
Alert
By Andrew Caplan,
10.07.15
Europe’s top court ruled that U.S. companies relying upon the “Safe Harbor Framework” data sharing regime to maintain information regarding EU citizens is “invalid.” This means that any company relying upon the Safe Harbor Framework, and any U.S. company holding EU citizen data in the U.S., urgently needs to review and reform how such data is transferred and stored to avoid the risk of fines. Status quo is not an option.
Yesterday, the Court of Justice of the European Union (the “CJEU”) delivered a striking blow to the fifteen-year-old regime governing EU-U.S. data transfers. Specifically, the CJEU declared invalid the safe harbour framework (the “Safe Harbor Framework” or the “Framework”) that thousands of U.S. companies have relied upon to facilitate data transfers from the EU to the United States.
The CJEU’s rationale for striking down the Safe Harbor Framework was primarily based upon their assessment that U.S. authorities have the ability to access personal data transferred from EU member states (“Member States”) and process it in a way that is “incompatible…with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.” The CJEU’s conclusion was largely informed by the 2013 revelations of Edward Snowden regarding the U.S. government’s capture of personal data through the PRISM program.
This means that companies that have relied upon the Framework must look back to default EU standards from 1995 to determine whether their data sharing practices are permissible. Further, the CJEU’s opinion has clarified the role of individual EU member states in enforcing these requirements.
In this client alert, we provide a brief discussion of the legal background that established the Safe Harbor Framework; the CJEU’s analysis behind its decision; and practical steps companies can take to help ensure compliance.
Background on the Legal Framework Surrounding the Safe Harbor Framework
On October 24, 1995, the European Parliament and Council issued Directive 95/46, establishing that transfer of personal data from the EU to another country must meet EU standards or else cannot be transferred.1 The rationale for this approach “is to protect the fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (the “Convention”),…and in general principles of Community Law.”2
As such, pursuant to Article 25(4) of Directive 95/46, if a country’s privacy laws do not meet EU standards and ensure an adequate level of protection, EU Member States must prevent the transfer of data to the country in question.
However, the next section of Directive 95/46, Article 25(6), provides a mechanism by which the European Commission may find that a particular country does provide an adequate level of protection, by reason of its domestic law or international commitments, for the protection of the private lives and basic freedoms and rights of individuals, in accordance with the Directive.
Pursuant to this authority under Article 25(6) of Directive 95/46, the European Commission issued Commission Decision 2000/520 on July 26, 2000, which established the Safe Harbor Framework for data transfers between the EU and U.S. This Commission Decision states that U.S. companies subject to Federal Trade Commission or Department of Transportation jurisdiction may satisfy the requisite standard of “adequate” personal data protection by complying with Commission Decision 2000/520.3 Until yesterday, companies in the U.S. storing, processing or transferring data from EU citizens were able to use this Safe Harbor Framework through an annual self-certification with the U.S. Department of Commerce.
Download: With Safe Harbor now “Invalid,” Companies Must Change Data Practices