CJEU declares safe harbour invalid - Implications for your business

The Court of Justice of the European Union (CJEU) has declared that Safe Harbour, the self-certification procedure that allowed over 4,000 US companies to declare themselves compliant with EU Data Protection laws, is invalid.  The decision has been widely expected since the opinion of Advocate General Yves Bot was published on 23 September last which was highly critical of the Safe Harbour procedure.  

What does this mean in practice for Irish companies that transfer personal data to US companies that self-certify under Safe Harbour? 

The first point to bear in mind is that the law on data protection has not changed, nor have the obligations on data controllers to protect the rights of data subjects. Transfer of personal data from the EU to a country that is not deemed to provide ‘an adequate level of protection’, has always been and remains prohibited (unless one of a number of derogations could be applied to the transfer which then rendered the transfer legally permissible). 

The United States was never considered by the EU to provide an adequate level of protection to EU citizens' data. What has changed is that one of the derogations in the Data Protection legislation, (namely the decision in 2000 by the European Commission that self-certification by US companies under the so called “Safe Harbour” regime provided an adequate level of protection for personal data transferred to the United States), has now been declared invalid by the CJEU.

Irish companies that transfer personal data to companies in the United States will have to find an alternative mechanism by which they can avoid infringing on data subjects' privacy rights and falling foul of the Irish Data Protection Acts 1988-2003 which implement the EU Data Protection Directive.

Can personal data still be transferred to the United States without infringing on data privacy rights?

Safe Harbour was not the only mechanism under which personal data could be legally transferred to the United States. Other derogations provided for in the Data Protection Directive remain. For example personal data can be transferred to the US (or to any other ‘unsafe' country) if the data subject provides ‘unambiguous' consent. The following transfers are also unaffected:

1. Transfers necessary for the performance of a contract between the data subject and the controller;
2. Transfers necessary for the conclusion or performance of a contract concluded in the interest of the data subject;
3. Transfers necessary in order to protect the vital interests of the data subject; and 
4. Transfers legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims.

The CJEU judgment stressed that such derogations should only be applied ‘in so far as is strictly necessary' and this is consistent with guidelines issued in the past by the Irish Data Protection Commissioner. The overriding principle of the CJEU judgment is the fundamental right to privacy of the individual, and the abuse of such derogations is not likely to be tolerated by the Regulator.

If a transfer of personal data does not fall into one of the above derogations, other alternatives also exist.

Alternatives to Safe Harbour

A data controller in Ireland, which wishes to transfer personal data to a US company, can use an EU approved ‘model contract’ as the basis for its relationship with the third-country organisation. This model contract will include provisions on adherence to data protection rules, transparency on what happens to data, cooperation on dealing with inquiries from data subjects and liability to data subjects.

Another alternative are Binding Corporate Rules (BCR), a complex corporate governance mechanism suitable for transnational corporate groups. These consist of internal rules such as a code of conduct or privacy policy which guarantee adequate safeguards for the protection of privacy. BCRs are required to be approved by the data protection authority in each EU Member State.

However these alternatives are not a panacea. The perceived problem with Safe Harbour was not the self-certification process in itself, but the lack of enforcement and oversight. Having a model contract or BCR in place will not absolve the data controller from responsibility if the basic data protection principles are not observed in practice.

What happens next?

For the time being, it is likely to be business as usual for the companies that do transfer personal data to the United States. The economic and logistical reality of the world's data infrastructure dictates that a significant proportion of European citizens' personal data will continue to be transferred to the US on a daily basis, in spite of the CJEU’s judgment. Ultimately, European ideals of data privacy cannot be easily reconciled with the insatiable demand of business for data, and of consumers for connectivity and convenience.

While European Data Protection Regulators have significant powers to enforce data protection law, including the power to prohibit an errant data controller from processing data at all, not to mention transferring it abroad, it is not realistic to expect that European Data Protection Regulators will act immediately on the CJEU judgment. 

It has been reported that Regulators are meeting to agree a common approach to deal with the judgment. The most likely next step is that guidelines by the Regulators will be issued on how data controllers should adapt their business practices to deal with the CJEU decision on a practical level. The EU Commission has already announced that it will accelerate its ongoing negotiations with US authorities to bring about what is an essence a 'Safe Harbour 2' agreement with more oversight than the previous agreement. It remains to be seen whether agreement can be reached.

While data controllers who have used Safe Harbour in the past should consider alternative means of transferring data to the United States, they should also review their adherence to data protection laws in general. Transferring data to an ‘unsafe’ country is only one of many ways that data controllers can fall foul of Data Protection laws. The CJEU judgment is indicative of an increasing level of regulatory and judicial intolerance of infringements of individual data privacy rights by business, and of an increasing willingness to vindicate those rights.

For further information, please contact Jon Legorburu, or Sean O'Donnell from our Data Protection team.