End of Safe Harbour principles following ECJ judgement
ECJ: The Safe Harbour principles are invalid - need for action for companies in transatlantic legal/data traffic
On 6 October 2015, the European Court of Justice (ECJ) declared the "Safe Harbour Agreement" for the exchange of personal data between the European Union and the United States invalid (Case no. C-362/14). This results in an urgent need for action for transatlantic legal or data traffic that may also affect you. Below we provide some details on this topic.
1. What was Safe Harbour?
The Data Protection Directive (Directive 95/46/EC) and the German Data Protection Act (BDSG) prohibit the transfer of personal data from EU Member States to states that do not have a level of data protection that is equivalent to that of the EU Member States. Such a 'deficit' in terms of data protection exists with regard to the United States among other countries, given the fact that US privacy law lags well behind EU data protection law.
However, in practice, there is a great need to deliver personal information from EU Member States to the United States. The Safe Harbour principles emerged against this backdrop:
- US companies can voluntarily submit to certain privacy principles in the way of a commitment and register this voluntary commitment in a list with the US Department of Commerce.
- The US Department of Commerce can sanction infringements against the Safe Harbour principles.
In the year 2000, the European Commission decided that a sufficient level of data protection could be assumed for US companies that had voluntarily pledged to observe the Safe Harbour principles. As a consequence, personal data could be transfer legally from EU Member States to such US companies.
Many US companies then committed to the Safe Harbour principles, and transatlantic data transfers have regularly been legitimised ever since by referring to the Safe Harbour principles.
2. Criticism of Safe Harbour and the ECJ decision
However, privacy advocates have long doubted whether US companies really could be viewed as a "safe havens" merely on the basis of their acknowledgement of the Safe Harbour principles.
In the context of a legal dispute on data protection at Facebook, the European Court of Justice finally had to reach a decision on the Safe Harbour construct. In its judgment dated 6 October 2015, the ECJ agreed with the opinion of privacy advocates and the Advocate General at the European Court of Justice that, against the background of extensive, legally permissible data storage of personal data from EU Member States in the United States, an appropriate level of data protection could not be assumed even if US companies were to subject themselves to the Safe Harbour principles.
The ECJ therefore declared the decision of the European Commission from the year 2000 to be invalid. The transfer of personal data from EU Member States to the United States may no longer be based on Safe Harbour principles.
3. Consequences for business practice and need for action
Companies headquartered in the EU are now required to provide a new legal basis for the transmission of data to the United States. If your company has, thus far, relied on the Safe Harbour principles in transatlantic legal relations, it needs to look into the following issues without delay:
- Can your company support its transmission of data to United States with a legal basis, thus making the revocation of the Safe Harbour principles harmless?
This is typically the case if data transmission is necessary for performance of contract (online shopping, etc.).
- Can the EU standard contractual clauses be used as the potential basis for future data transmissions to the United States?
The EU Commission has decided that a sufficient level of data protection can be assumed in data transmissions from EU Member States to the United States if the participating companies agree on the validity of the EU standard contractual clauses.
- Can EU Binding Corporate Rules be used as the potential basis for future data transmissions to the United States?
This option is above all open to international corporations who can introduce binding, group-internal data protection rules in order to ensure an appropriate level of data protection. If binding corporate rules are a potential solution for your business, data can be legally transferred to countries other than the United States on this basis.
- Is the consent of the persons concerned required?
If no other basis for transmitting personal data from EU Member States to the United States can be established, then the consent of the person concerned to transmission of the data to the United States must be obtained.
4. BDO is happy to support you
BDO is happy to support your company in all the issues that now arise following the end of the Safe Harbour principles. We review your data protection approaches and agreements with US companies to identify any need for action and develop solutions for your future data transmissions to the United States. Our interdisciplinary team is happy to advise you on the implementation of EU standard contractual clauses in your contractual documents, and with defining and describing the required technical and organisational safeguards. We naturally also investigate whether binding corporate rules are available to you as an alternative. We also support you in all questions relating to consent in the context of data protection. Please don’t hesitate to contact us.