Safe Harbor was jointly devised by the European Commission and the U.S. Department of Commerce as a framework that would allow US-based organisations to overcome the restrictions on transfers of personal data from the EU. Following a dispute between Austrian law student Max Schrems and the Irish Data Protection Commissioner, the CJEU was asked to consider whether a data protection supervisory authority was bound by the European Commission’s decision that Safe Harbor provided an adequate level of protection for European data.
In its ruling, the CJEU goes beyond this specific question and takes the view that Safe Harbor does not in fact provide an adequate level of data protection, because it is unable to prevent large-scale access by the U.S. intelligence authorities to data transferred from Europe.
What is the practical effect of the decision?
The decision invalidating Safe Harbor has the following consequences:
-
Transfers of personal data from the EU to the US currently covered by Safe Harbor will be unlawful unless they are suitably authorized by data protection authorities or fit within one of the legal exemptions.
-
Multinationals relying on Safe Harbor as an intra-group compliance tool to legitimize data transfers from EU subsidiaries to their US parent company or other US-based entities within their corporate group will need to implement an alternative mechanism.
-
US-based service providers certified under Safe Harbor to receive data from European customers will need to provide alternative guarantees for those customers to be able to engage their services lawfully.
Our suggested plan of action
In the light of the CJEU’s judgment, our advice to organisations affected by it is as follows:
-
Carry out a data transfers assessment to identify which data transfers from the EU to the US had been legitimized by Safe Harbor.
-
Prioritise key transfers for the business by reference to the nature of the data and its use.
-
For intra-group transfers, identify all of the entities involved and assess the most suitable alternative to Safe Harbor. In the short term, this is likely to involve an interim contractual solution whilst more permanent mechanisms – such as BCR – are considered.
-
For transfers to service providers, review any existing contracts for references to Safe Harbor and determine whether the relevant vendor is offering a suitable contractual option or is able to rely on a Processor BCR.
-
US-based service providers should consider the most appropriate legal mechanism to enable customers to continue to use their services lawfully.
In a complimentary webinar on Wednesday, October 7 at 12:00pm (EDT), Eduardo Ustaran of Hogan Lovells’ London office, Stefan Schuppert of our Munich office, Winston Maxwell of our Paris office, and Bret Cohen of our Washington office will analyze the implications of the CJEU decision for companies that rely on Safe Harbor to legitimize their cross-border transfers to the United States, including:
-
What is the status of data transfers currently being legitimized by Safe Harbor?
-
What alternative options are available for Safe Harbor members to lawfully receive data from Europe?
-
What steps must Safe Harbor members take to transition to those other options?
-
What are Safe Harbor members required to do with EU data already in the U.S.?
-
How to respond to enquiries from EU clients and regulators concerned about the lack of a lawful basis for transfers.
Webinar Details: Safe Harbor—What Next?
Date: Wednesday, October 7, 2015
Time: 12:00 pm (EDT) / 17:00 (BST) / 18:00 (CEST)
To RSVP for the Hogan Lovells webinar, Safe Harbor—What Next?, click here.
For a short PDF reflecting the analysis and practical next steps from this blog post and suggested Hogan Lovells contacts, click here.
Authored by Eduardo Ustaran, Stefan Schuppert, Winston Maxwell, Harriet Pearson, and Bret Cohen.
