U.S.-EU Safe Harbor Invalidated: What Next?

On October 6, 2015, the European Court of Justice (ECJ) invalidated the U.S.-EU Safe Harbor Framework (Safe Harbor), meaning it is no longer a valid mechanism for data transfers from the European Union (EU) to the U.S. Over 4,400 companies rely on Safe Harbor to lawfully and practically transfer data from the EU to the U.S. The ECJ based its opinion on U.S. national security practices, finding that Safe Harbor "thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision [finding Safe Harbor adequate] does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference." The effect of this ruling immediately terminates the Safe Harbor program that has been in place for the last 15 years.

The ECJ also held that EU member state courts and data protection authorities have the power and obligation to examine "adequacy" determinations when complaints are brought by one of their citizens regarding personal data transferred to countries that the European Commission deemed "adequate." Finally, the ECJ clarified that it has sole authority to overturn European Commission decisions regarding "adequacy," and that national courts and data protection authorities must abide by European Commission decisions until or unless the EU's highest court determines those decisions to be invalid.

The European Commission and U.S. Department of Commerce, the two government parties responsible for Safe Harbor, both responded after the ruling that they intend to move forward with the Safe Harbor renegotiation which has been in the works for two years.

While the European Commission promised to provide guidance to the EU member state data protection authorities "to ensure a coordinated response on alternative ways to transfer data," it highlighted the immediately available options for EU-U.S. data transfers, including:

• EU-approved model contract clauses;
• binding corporate rules (which are for intra-company transfers only);
• performance of a contract (e.g., limited to circumstances such as booking a hotel in the U.S. or ordering a product from the U.S. where personal information must be provided to the U.S. entity to fulfill the contract);
• important public interest grounds (e.g., cooperation between authorities regarding fraud or cartel investigations);
• the vital interest of the data subject (e.g., urgent life or death situations); and
• the free and informed consent of the individual ("if there is no other ground" and by very limited and express means, though this may not be possible for human resources data).

Those options have existed for years, but none was intended for the vast amounts and types of personal data transfers on which the digital world has come to rely. In addition, it is unclear whether the ECJ's underlying reasons for invalidating Safe Harbor also would apply to these other mechanisms.

We will provide the latest guidance from both the U.S. and EU as it becomes available.