In a landmark decision that will dramatically affect thousands of U.S. companies that transfer personal data from the European Union (“EU”) to the United States, the European Union Court of Justice (“ECJ”) yesterday invalidated the Safe Harbor Framework, which had permitted U.S. companies to comply with EU restrictions on the transfer of personal data outside the EU.
More than 4,000 companies, primarily U.S.-based multinationals, currently rely on the Framework, an agreement forged years ago between the U.S. Department of Commerce and the European Commission (the “Commission”) to permit the transfer of personal data. The ECJ’s decision, dated October 6, 2015, throws current procedures by these companies into question, and almost certainly will spur ongoing negotiations between the U.S. and the EU to develop a replacement.
In the meantime, U.S.-based multinational employers will need to consider their alternatives, as discussed in detail below, to lawfully transfer the personal data of EU employees to the United States.
Brief Overview of the U.S.-EU Safe Harbor
The European Union Data Protection Directive (the “Directive”) is the EU-level law governing the protection of “personal data,” which encompasses any individually identifiable information about a natural person. The Directive generally prohibits the transfer of personal data to a country outside the EU unless the receiving country ensures an “adequate level of protection” for the personal data. The Directive also provides that the Commission may find that a third country ensures an adequate level of protection either based on that country’s (a) national data protection laws, or (b) international commitments.
In 2000, the Commission issued a determination (the “Safe Harbour Decision”) that while U.S. national law did not ensure an adequate level of protection for personal data according to European standards, the Safe Harbor Framework, which had recently been negotiated between the Commission and the Commerce Department, met that standard.
The Federal Trade Commission was primarily responsible for enforcing the Safe Harbor Framework.
Legal Challenge to the Safe Harbor Framework
In 2012, a young Austrian by the name of Max Schrems was studying law for a semester at Santa Clara University, when he started intensive data privacy activism focused on Facebook’s handling of the personal data of its EU users. Among his many actions, Schrems lodged a complaint with the Irish Data Protection Commissioner on the grounds that Edward Snowden’s leaks of data gathered by U.S. intelligence through the “Prism Program” proved that the United States fails to provide sufficient protection for personal data transferred from the EU against covert government surveillance (notably by the National Security Agency).
The Irish Data Protection Commissioner (“DPC”) resisted and ultimately rejected Schrems’ complaint, primarily on the ground that as a national level data protection authority its hands were essentially tied by the Commission’s adequacy determination (and that Schrems’ complaint was “frivolous and vexatious.”).
The case then went to the High Court of Ireland, which agreed that there was nothing for the DPC to investigate given that the Commission already had determined that the Safe Harbor regime provided adequate data protection. The High Court referred to the ECJ the issue whether the Commission’s adequacy determination remained valid.
Next, the Advocate General, who is appointed by the ECJ, issued a non-binding opinion recommending that the ECJ (i) invalidate the Commission’s Safe Harbor adequacy determination because of alleged indiscriminate surveillance by the U.S., and (ii) hold that, because of the importance of national authorities in the protection of individuals’ data protection rights, national regulators can investigate an EU citizen’s complaint and block a data transfer where the regulator is satisfied that the third country will not adequately protect the fundamental data protection rights of individuals.
The ECJ’s Decision Invalidating the Safe Harbor
As the starting point for its October 6 decision, the ECJ construed the Directive’s standard requiring that a third country’s laws “ensure an adequate level of protection” for personal data. According to the ECJ, this standard requires that the third country’s laws and international commitments provide a level of protection for “the private lives and basic freedoms and rights of individuals” that is “essentially equivalent to that guaranteed within the European Union by virtue of [the] Directive.”
The ECJ scrutinized the Safe Harbor Framework and found it failed to meet this standard with respect to enforcement, access to personal data by intelligence agencies, and the ability of EU citizens to enforce their rights.
First, the ECJ implicitly questioned the rigor of the Federal Trade Commission’s enforcement of the Safe Harbor. The ECJ stated that because the Safe Harbor relied on self-certification, the viability of the Framework depended on “effective detection and supervision mechanisms” to protect fundamental rights “in practice.” However, the ECJ pointed to a finding in a report on the Safe Harbor prepared by the Commission in 2013 in the wake of the Snowden’s disclosures and presented to the European Parliament that “in practice, a significant number of certified companies did not comply, or did not comply fully, with the safe harbour principles.”
The ECJ also expressed serious concern that the Safe Harbor permitted U.S. intelligence agencies to collect substantial quantities of personal data of EU citizens from companies that had certified to the Safe Harbor, including many of the most well-known Internet companies.
In the ECJ’s words, the Safe Harbor Framework “lays down that ‘national security, public interest, or law enforcement requirements’ have primacy over the safe harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements. . . .”
From the ECJ’s perspective, the collection of EU personal data by U.S. intelligence agencies, as revealed by Snowden’s leaks, demonstrated that this structural flaw undermined the fundamental rights of EU citizens. In this regard, the ECJ pointed to the following finding in the Commission’s 2013 report: “‘all companies involved in the PRISM programme, and which grant access to U.S. authorities to data stored and processed in the [United States], appear to be Safe Harbour certified’ and that ‘[t]his has made the Safe Harbour scheme one of the conduits through which access is given to US intelligence authorities to collecting personal data initially processed in the [European Union]’.”
Finally, the ECJ relied on its conclusion that the Safe Harbor Framework did not provide EU residents with sufficient means to exercise their data protection rights under the Directive or to obtain judicial review of alleged violations. In this regard, the ECJ noted the finding in the Commission’s 2013 report that the Safe Harbor provides “no opportunities for either EU or U.S. data subjects to obtain access, rectification or erasure of data, or administrative or judicial redress with regard to collection and further processing of their personal data taking place under the U.S. surveillance programmes.”
What Does the ECJ’s Decision Mean for U.S. Multinational Employers Certified to the Safe Harbor?
For years, U.S. multinational employers have centralized their global human resources data in databases located in the U.S. to facilitate global workforce management. With the advent of cloud computing, many of these multinational companies have turned to cloud service providers—including, for example, human resources information systems (“HRIS”) providers, payroll administrators, and on-line applicant tracking providers—located in the United States to house these centralized databases.
To the extent these employers have relied on the Safe Harbor Framework to “ensure an adequate level of protection” for the personal data of EU applicants and current and former employees, the ECJ’s decision obviously means employers will need to adopt alternative measures to meet the required standard for the protection of personal data received from the EU.
Alternatives to Safe Harbor Certification
At this point, two principal alternatives are available, each of which presents its own challenges. First, employers can consider using the “Standard Contractual Clauses” (“SCCs”) approved by the European Commission. These clauses are embedded in a data transfer contract between the EU-based subsidiary (the “data exporter”) and the U.S. parent corporation (“data importer”). Second, employers could consider relying on binding corporate rules (“BCRs”).
Courtesy of Littler Mendelson – Littler Mendelson is a member of the EACCNY