European Court of Justice

Subscribe to European Court of Justice

There’s no doubt businesses in the EU and US would breathe a sigh of relief if a new Safe Harbor agreement is put in place between before European data protection authorities start prosecuting companies for potentially illegal personal data transfers to the US.  But if it doesn’t happen, the US is actually not any worse off than most of the rest of the world.  No other country has a special agreement with the EU concerning personal data transfers, and only eleven countries have been deemed to be “adequate” by the European Commission: Andorra, Argentina, Canada (commercial organizations only), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

Only one of the countries on the “adequate” list, Switzerland, is a “top ten” EU trade partner, according to the latest trade statistics published by the Commission (based on 2014 figures).  Only two of the countries are in the top twenty (Canada is in twelfth place).  Japan, India, Brazil, Turkey, South Korea, all “top ten” EU trade partners, are not on the “adequate” list.  Nor is China or Russia, both of which have significant trade with the EU (coming in second and third in the “total EU trade” rankings published by the Commission).  So if the US isn’t on the “adequate” list, it is no worse off than most other major EU trade partners. Continue Reading (So) What if there’s no Safe Harbor 2.0?

Privacy & Security Matters Monday Blog Series ImageAnd the days dwindle down, to a precious few … November …

We are still following developments in the EU relating to the invalidation of the US-EU Safe Harbor Framework.   In case you were on a secluded island during the month of October, you can catch up here.

European Commission Issues Communication.  On Friday, the European Commission issued “long-awaited” guidance (called a Communication), which did not shed much new light on the cross-border data transfer issues, but instead rehashes the “alternative transfer tools” available to legitimize data flows to jurisdictions deemed “not adequate,” like the United States.   More after the jump. Continue Reading Privacy Monday: November 9, 2015 – EU/Safe Harbor Updates

EU Commissioner Vera Jourova recently announced in a speech to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) that the Commission and the US have made substantial progress in finalizing a new Safe Harbor program. Jourova noted that the collection and use of European personal data for US national security purposes remains a key open issue.  However, she also reminded LIBE that the US has undergone a substantial review of the NSA’s alleged mass surveillance activities over the past couple of years.

Overall, Jourova’s comments seemed optimistic regarding getting a new Safe Harbor program finalized prior the Art. 29 Working Party’s January deadline for increased enforcement by national Data Protection Authorities starting at the end of January 2016. (The Art. 29 Working Party’s statement is available as a PDF on this page.)

In the meantime, the German regional data protection authorities have collectively announced that they will investigate data transfers by Google and Facebook to the US (without waiting for complaints by German users).  The German DPAS have also suspended approval of new Binding Corporate Rules and customized data protection clauses.  (Model clauses, which don’t require DPA approval in Germany, are not immediately affected, but could be vulnerable to attack.)

Keeping an eye on national data protection authorities’ enforcement agendas will be important once we have Safe Harbor 2.0 in place, since under the Schrems decision, Safe Harbor 2.0 will be effectively subject to the review of national DPAs and courts.

As all of our readers know by now, as of October 6, the US-EU Safe Harbor Framework is no more.   Safe Harbor was the mechanism on which thousands of US companies (and thousands of companies based in the European Union) legitimized their data transfers from the EU to the US.  All the background, including links to a recording of our “emergency” Privacy webinar on the issue, can be found here, here, and here.

Two more dominos outside the European Union have toppled. Continue Reading More Dominos Fall on the Data Protection Table

The Irish High Court today has ordered the Irish Data Protection Commissioner (DPC) to investigate Facebook’s European data privacy practices, bringing Max Schrems’ three-year fight full circle.  The Court today quashed the original DPC refusal to examine Schrems’ complaint that came back to the High Court after the referral to the European Court of Justice (CJEU).

Ireland’s DPC, Helen Dixon, refused to investigate the original Schrems’ complaint based on the validity of the US-EU Safe Harbor Framework.   By now, we all know what happened to Safe Harbor when it reached the CJEU.

Today’s High Court decision awards Schrems costs for his legal bills and travel expenses and Judge Gerard Hogan commented that “the commissioner is obliged now to investigate the complaint … and I’ve absolutely no doubt that she will proceed to do so.”

The EU’s Article 29 Working Party of EU data protection officials issued a joint statement last week forthrightly expressing its position post-CJEU decision:

Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”). In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful. 

 

 

The so-called “Article 29 Working Party” of EU Data protection officials from the 28 EU member states today released a much-anticipated press release regarding the Court of Justice of the European Union (CJEU) landmark decision invalidating the US-EU Safe Harbor framework.

US companies hoping for some guidance on managing cross-border data transfers will be sorely disappointed.

Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”). In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful. 

Further, although the statement indicates that the Working Party considers that Model Contracts or binding corporate rules “can still be used,” the group reserves the right to investigate any privacy complaints that arise in relation to any such transfers.   In addition, unless the EU and US authorities agree on a Safe Harbor 2.0 or some other replacement, the statement says that the data protection authorities would consider taking “coordinated enforcement actions” against companies unlawfully transferring data.

The last paragraph of the statement sounds a warning to US businesses:

…in the context of the judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis.

 

In case you missed it, our webinar regarding the CJEU decision and how to navigate a path forward in a world without a Safe Harbor data transfer framework can be accessed here.

 

The EU Parliament committee that is charged with considering data protection matters (LIBE) has issued a press release calling on the European Commission to take action before the end of 2015 to come up with alternatives to Safe Harbor.  Importantly, LIBE has also called on the Commission to reassess whether the European Court of Justice’s recent invalidation of Safe Harbor casts doubt on other means for legitimizing the transfer of personal data from the EEA to the US.

As we have commented previously here, the ECJ’s rationale in the Schrems Safe Harbor decision could be used to attack both BCRs and Model Clauses.  LIBE certainly seems to have picked up on that also. Continue Reading EU Parliament Committee calls on the Commission for immediate action on US data transfers

Don’t forget to join us this afternoon – Wednesday – at 3 PM ET for a webinar discussion of the European Court of Justice’s game changing decision invalidating the US-EU Safe Harbor framework.   What’s next?  What should be your Plan B?

Registration is here. Continue Reading REMINDER: Webinar TODAY — EU-US Safe Harbor Program and the Court of Justice of the EU’s Decision — Protect Your Business!

 

As I reported earlier today, the Court of Justice of the EU (ECJ) has declared Safe Harbor invalid.  The full decision is now available online  in English here (other languages also available at curia.europa.eu by searching on C-362/14).

There are two key elements of the ECJ’s decision.  The first is that national data protection authorities in the EEA are authorized – indeed, required – to hear complaints from individuals with regard to the transfer of their personal data outside of the EEA regardless of whether the Commission has issued an adequacy decision.  The second is a determination that the Commission’s adequacy decision concerning Safe Harbor is invalid.  Period.  It’s gone.

Most US companies that rely solely on Safe Harbor will initially focus on the second part of the decision invalidating Safe Harbor.  That makes sense, because if Safe Harbor is your company’s only basis for legitimizing the transfer of personal data from the EEA to the US, your company is likely in violation of various contracts and, if your company is the data controller responsible for the transfer or otherwise directly subject to European data protection laws, it’s probably in violation of European data protection laws.  Near-term consequences?  The possibilities include:

  • termination of contracts and exposure to damages
  • customer complaints to your company
  • customer complaints against your company made to local Data Protection Authorities (DPAs)
  • employee complaints (although rather less likely than customer complaints)
  • loss of potential new business in Europe
  • orders and injunctions issued by DPAs that force your company to stop transferring personal data
  • (and no doubt you can add your own parade of horribles here . . . such as lost time of your General Counsel, your head of IT systems, head of consumer services and other senior executives, possibly a need for extensive data audits, and so on)

The invalidation of Safe Harbor in the blink of an eye (even if the case was pending over a year) requires urgent action.  But we should also be concerned about the first part of the ECJ’s decision, to the effect that local DPAs will always have the right and obligation to hear complaints from individuals even if the Commission has issued an adequacy decision.  We should care about this because for nearly two years, EU and US bureaucrats have been trying to negotiate a more robust Safe Harbor.  Let’s call that Safe Harbor II.

A few days ago, some commentators suggested that Safe Harbor II would save Safe Harbor-dependent companies because it would remedy the faults that the ECJ might find with the original Safe Harbor.  But now we know that even if the Commission endorses a Safe Harbor II, it can be attacked on a country-by-country basis.  Furthermore, the ECJ has effectively raised the bar for Safe Harbor II – in future judicial assessments of Commission decisions, the ECJ will take a strict approach to reviewing such decisions (see Para. 78 of Schrems).   To achieve a Safe Harbor II that meets the ECJ’s stringent requirements, the Commission will, effectively, need to “ensure” that the US’s national security laws don’t allow the gathering of data beyond that strictly necessary to achieve their objectives (that is, objectives that the ECJ thinks are legitimate) and contain adequate safeguards for EEA individuals.  Taken in its strongest form, this could include a right to know their data has been processed by intelligence services, a right to find out what data has been gathered about them, and a right to have incorrect or incomplete data rectified (see Para. 90 of Schrems), all of which would be, to say the least, in tension with the fundamentals of intelligence work.

In a nutshell, we may not get a Safe Harbor II any time soon, and if we do, we won’t be able to rely on it (not with any real confidence) until it’s been challenged through national DPAs, then the national courts, then referred to the ECJ – and we finally have an ECJ decision upholding it.  In other words, Safe Harbor II will be negotiated with a wary eye toward the inevitable ECJ chopping block.  As for what’s next on the chopping block, the Schrems opinion does nothing to settle concerns that model contract clauses and BCRs are vulnerable to attack on essentially the same basis as Safe Harbor.  Consent is looking better and better all the time – little surprise that Facebook Ireland has an express consent to transfers to the US and other countries built into its terms of use.

This all sounds a bit grim, doesn’t it?  There are alternatives to Safe Harbor (again, described in my earlier posts on this topic), although they have their own challenges.  Please tune in for our webinar on Wednesday, 7 October at 3 pm EDT for more discussion about steps you can take to comply with EU data protection laws in the new, post-Safe Harbor era.

 

UPDATE: Here’s a link to the English-language version of the ECJ’s full decision: Schrems Safe Harbor Decision

A press release issued by the Court of Justice of the EU (ECJ) regarding its decision in the Schrems Safe Harbor case (C-362/14) confirms that the ECJ has declared Safe Harbor invalid.  The ECJ has sent the case back to the Irish Data Protection Authority to determine whether Facebook Ireland’s transfer of personal data to the US is permitted under EU data protection law, in light of Facebook’s participation in the NSA’s PRISM program.  We are awaiting publication of the decision and will report further after it becomes available.

In the meantime, here’s the background to this decision and some suggestions for what to do next if your company relies on Safe Harbor:

The European Union’s Data Protection Directive (1995) prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an adequate level of privacy protection.  Soon after the Directive was passed, the European Commission determined that the US doesn’t offer adequate levels of protection.  The EU and the US negotiated the Safe Harbor agreement in 2000 to allow US companies to self-certify that they provide protections that are equivalent to the requirements of the Data Protection Directive.

Currently, over 4,500 US companies rely on the EU-US Safe Harbor program to make their transfer of personal data from the EU to the US legal under European privacy laws.

If your company relies exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, it will need to find another basis for the transfer as soon as possible.  The primary options are:

  • Consent of the data subject to the transfer. In most circumstances, the consent needs to be explicit and fully informed to be valid.  It’s also important to keep records of the consent in case there’s a challenge.
  • Binding corporate rules for intragroup transfers. BCRs need to be approved by the relevant national information commissioners, and this is a lengthy process (potentially 18 months or more).  So while this is a longer term option, it won’t help if Safe Harbor is not available. Also, BCRs are vulnerable on the same grounds as Safe Harbor.
  • Contracts between the exporting and receiving entities. The European Commission has provided model clauses that can be incorporated into agreements to ensure adequate protection of the transferred personal data. However, see the cautions below.
  • In the UK, companies may be able to make their own adequacy determinations under guidance issued by the UK’s Information Commissioner’s Office.

There’s a very important caveat that would apply to all of these alternatives except possibly the data subject consent option:  BCRs and model contracts require the data recipients essentially to promise that the data will be protected to the same level as in the EU.  If your company could receive a subpoena from the NSA or other US government agency to disclose the personal data of EU residents, then the BCRs and contracts (and UK adequacy determinations) would presumably face the same weakness that the Safe Harbor faces: a fundamental incompatibility between EU data protection law and the powers of US government agencies to conduct intelligence operations and require US companies to comply.