Europe's Highest Court Invalidates EU - U.S. Safe Harbor Data Sharing Agreement

06 October 2015 Legal News Alert: Privacy, Security & Information Management Publication
Authors: Chanley T. Howell James R. Kalyvas Sophie Lignier Steven M. Millendorf Eileen R. Ridley Aaron K. Tantleff

Legal News Alert: Privacy, Security & Information Management

Today the European Court of Justice — Europe’s highest court — invalidated the Safe Harbor agreement and framework that has permitted more than 4,000 companies to transfer personal data from the EU to the U.S. The decision can be found here. In light of this decision, U.S. companies that have been relying on the Safe Harbor framework should immediately take steps to (1) ensure and document their compliance with current safe harbor requirements and (2) implement an alternative method — likely a contractual arrangement — to lawfully permit the flow of personal data from the EU to the U.S.

What the Decision Means to Businesses

Until today, there were four methods for complying with EU data privacy laws for EU to U.S. data transfers:

  • Consent of the individual
  • The Safe Harbor framework
  • Model contracts with standard contractual clauses
  • Binding Corporate Rules

With the Safe Harbor invalidated and due to the complexities and lengthy time delays associated with relying on consent and Binding Corporate Rules, most U.S. companies will likely rely on putting model contracts with standard contractual clauses (model contracts) in place. The model contracts have been approved by the European Commission as providing adequate contractual protection to ensure the privacy rights of individuals are respected as required by EU privacy law. While the European Court of Justice’s ruling could be used by individuals to challenge the validity of transfers based on model contracts, for the time being at least, model contracts remain a viable method for complying with EU’s privacy laws.

Obtaining consent from individuals can raise complex issues of the enforceability of informed and voluntary consent, and is generally not effective for obtaining consent of employees. Binding Corporate Rules allow multinational corporations to make transfers among the corporate family across international borders, and are required to be approved by the applicable data protection authorities. Implementing and obtaining governmental approval of Binding Corporate Rules is typically expensive and time-consuming. Accordingly, it would be prudent for U.S. companies to act as soon as possible to work with EU companies — whether affiliated or non-affiliated — that send personal information to the U.S. to get the contractual protections under the model contracts in place.

If an agreement (e.g., a services or sales agreement) currently exists between the U.S. entity receiving personal information and the EU organization sending personal information, the model contract clauses can be added as an amendment to the existing agreement. If the parties do not have an agreement in place where an amendment of this type would be suitable, then the parties can enter into an agreement mirroring the language of the model contract, adding information specific to the relationship and data transfer as called for in the model contract.

Companies should also closely watch continuing developments in the EU and statements coming from the European Commission. The EU and the U.S. are currently in negotiations to modify the Safe Harbor agreement. Additionally, we expect the Commission to issue guidance in the coming days or weeks with respect to EU to U.S. transfers of personal data in light of the ECJ’s decision.

More Information About the Decision

EU privacy law requires that for personal information of an EU citizen can be transferred outside of the EU, it must be determined that the country has laws that adequately protect the privacy of such information. The European Commission had ruled that U.S. law does not adequately protect personal information to the same extent as required under EU law. This led to the agreement and decision in 2000 approving the Safe Harbor framework pursuant to which U.S. companies could self-certify as to compliance with the Safe Harbor framework and principles, thereby permitting companies in the EU to transfer personal information to Safe Harbor certified companies in the U.S.

The European Court of Justice (ECJ) held that that the European Commission (Commission) decision approving the Safe Harbor framework could not eliminate or even reduce the powers available to the EU data protection authorities (regulators) under applicable EU privacy law. The ECJ noted that the Commission was required to find that the U.S. law in fact ensures a level of protection of fundamental rights essentially equivalent to that guaranteed under EU law. The ECJ then observed that the Safe Harbor framework is applicable only to the U.S. organizations which undertake to adhere to it, and U.S. governmental authorities are not themselves subject to it. Additionally, national security, public interest and law enforcement requirements of the U.S. prevail over the Safe Harbor framework, so that U.S. governmental agencies must disregard the protective rules laid down by the Safe Harbor principles where they conflict with such national security and law enforcement requirements.

The ECJ noted that through the NSA’s PRISM program, U.S. governmental authorities were able to access personal data transferred from the EU to the U.S., and use it for purposes incompatible with the purposes for which it was originally transferred, beyond what was strictly necessary and proportionate to the protection of national security. The Court further noted that the individuals had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, corrected or deleted.

The ECJ ruled that under EU law, U.S. law permitted general storage of all the personal data of all the individuals whose data is transferred from the EU to the U.S. without any differentiation, limitation or exception being made in the light of the objective pursued; and without an objective criterion for determining the limits of the access of the governmental authorities to the data and of its subsequent use. Thus, the access available to U.S. law enforcement agencies was inconsistent with the EU’s fundamental rights to respect for private life.

Based on these finding, the ECJ declared the Commission decision in 2000 approving the Safe Harbor framework invalid. The case began when Maximillian Schrems, an Austrian resident and Facebook subscriber, complained that Facebook improperly transferred his personal information from Ireland to the U.S., notwithstanding Facebook’s certification under the Safe Harbor framework. The decision has the practical effect of requiring the Irish data protection authority to examine Mr. Schrems’ complaint and to decide whether the transfer of the data of Facebook’s European subscribers to the United States should be suspended on the basis that the U.S. does not afford an adequate level of protection of personal data.

Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our clients and our colleagues. If you have any questions about this update or would like to discuss this topic further, please contact your Foley attorney or the following:

Chanley T. Howell
Jacksonville, Florida

James R. Kalyvas
Los Angeles, California

Sophie Lignier
Brussels, Belgium

Eileen R. Ridley
San Francisco, California

Aaron K. Tantleff
Chicago, Illinois

Steven M. Millendorf
San Diego, California


Review of Recent Whistleblower Developments
30 July 2021
Legal News: Whistleblower Developments
$4.24M Now the Average Cost Per Data Breach!
30 July 2021
Internet, IT & e-Discovery Blog
Podcast Episode 56: All Things Summer Associate Recruiting
30 July 2021
Foley Career Perspectives
Foley Podcast to Live Panel Discussion
29 July 2021
Foley Career Perspectives
30th Annual Law of Product Distribution & Franchise Seminar
29 September | 7 & 20 October 2021
Milwaukee | Chicago | Dallas
7th National Telehealth Summit
4-5 October 2021
Miami Beach, FL
AHLA Fraud & Compliance Forum
21-22 September 2021
Baltimore, MD
2nd Clinical Trial Agreements Forum
16-17 September 2021
Online Livestream