2015/10/12: The Safe Harbour Judgment and its Consequences

On Tuesday October 6th 2015 the EU Court of Justice ruled on a privacy case against Facebook. This judgment made the news everywhere, and comments (whether in favor or not) all agreed that it is a landmark case and ruling. So what is all the excitement about? For the impatient: anyone using cloud services (email, documents, CRM systems, etc.) from a USA based provider, or anyone sending personal data of clients, employees, patients etc., to the USA, will be forced to re-evaluate what they are doing, perhaps find other providers outside the USA, retrieve data from the USA, etc. It doesn't matter whether you are a one-man company or a large multinational corporation: if you transfer personal data to the USA in any way or by any means, you must re-evaluate what you are doing and adapt to the new legal situation.

Before I plunge into the details of this case, first a few basics of privacy law in Europe:

  • Privacy in Europe is governed by EU Directive 95/46/EC. This Directive focuses on personal data - data relating to an identified or identifiable natural person - and its processing - including amongst many other things its storage.
  • This Directive - and by consequence the national laws of EU Member States implementing it - imposes a set of requirements for the processing of personal data. Of interest here is that the transfer of data to a third country (i.e. outside the applicability of Directive 95/46/EC) is only allowed if that third country provides a level of protection of personal data that is adequate - in other words: adequate privacy laws.
  • The EU Commission has determined that a number of countries has adequate privacy laws. The United States of America is not among those.
  • For countries that do not have adequate privacy laws, there are several possibilities to legally transfer personal data. Most important for this story are: data can be transferred with permission from the data subject, and data can be transferred if privacy can be guaranteed through approved standard contractual clauses or approved binding corporate rules (the latter only in case of data transfers within multinational corporations).
  • Obviously, there are lots of transfers of personal data going on from EU countries to the USA. In order to facilitate these transfers, the EU Commission has come up with Commission Decision 2000/520/EC - the famous (or infamous) Safe Harbour Agreement. In essence, if a US company self-certifies that they are in compliance with the so-called “Safe Harbor Privacy Principles” issued by the US Department of Commerce, implemented in accordance with the Frequently Asked Questions issued again by the US Department of Commerce, then data transfers to that company are considered safe by the EU Commission. The US Department of Commerce maintains a list of companies that have self-certified under this “Safe Harbour Agreement” - see https://safeharbor.export.gov/list.aspx. To put it simply: when sending data to a US company that is on the Safe Harbour list, all you need is a “processor agreement” with that company and all is OK. That “processor agreement” is  always needed when sending data to another entity - whether in the EU or not - and while there are some things that need to be in there by law, it in essence is a regular commercial contract between two entities that does not need approval.
  • So, up until October 6th, sending personal data to the USA was easy: ensure that the company you were sending data to, was self-certified under Safe Harbour, and have some form of agreement in place to cover the essentials.

This system was working fine until October 6th 2015, even if many experts (myself included) were of the opinion that Safe Harbour was really deficient and did not guarantee proper privacy protection. So what happened on October 6th?  Simply put: the EU Court of Justice in Luxembourg declared decision 2000/520/EC - the Safe Harbour Decision - to be invalid. The Court gave two reasons for doing so:

  • First, the EU Commission had not stated in decision 2000/520/EC that US law provides ensures "an adequate level of protection by reason of its domestic law or its international commitments". While Article 25(6) of Directive 95/46/EC grants the Commission the power to decide that a third country has adequate protection of privacy, that same Article also requires that the laws of that country must be taken into account in such a decision. And that is exactly what did not happen in the Safe Harbour Decision: that Decision only covers the arrangements of private companies in the USA, but not US laws. In other words: the Commission simply didn't do its job properly.
    The Court has not formally stated in its decision that US law is actually inadequate, but it is very interesting that the Court does use a later Communication from the Commission (COM(2013) 847 final) to drop strong hints that it considers US law to be inadequate. The Court - and that is also very interesting and of great importance - gives two reasons. First, the Court makes it clear that access to personal data by government agencies must be limited to what is strictly necessary and proportionate to the protection of national security, and that according to the Commission's own Communication COM(2013) 847 final that is not the case in the USA. Reason: the indiscriminate access by government agencies such as the NSA etc. Second, the Court clearly states that there must be proper access to legal remedies by data subjects - in other words, a data subject must be able to go to court - and that according to the Commission's own Communication COM(2013) 847 final this is not the case either. Even though the name Edward Snowden is not mentioned in the Court's considerations, it is clear that his revelations did play a significant role here.
    To put it succinctly: two major strikes due to inadequate US law and the indiscriminate spying of US agencies, and Safe Harbour is out!
  • Second, the EU Commission in its decision 2000/520/EC had unlawfully limited away the powers of the national privacy regulators to investigate, limit or prohibit data transfers in response to a complaint from a data subject.

So what does all of this mean for you?

One thing is clear: any and all arrangements whereby personal data was transferred to the USA under the Safe Harbour Decision, are now unlawful. I don't have any numbers, but I strongly suspect that this covers most personal data transfers from the EU to the USA. And the number of affected companies in the EU will be huge: anyone using cloud services from a USA-based provider (Microsoft, Google, Amazon, etc.) is at least potentially affected, regardless of size. The same applies to anyone using any services from a US company that involves personal data. If you are a one-man law firm using a gmail email address, a small hi-tech company relying on Office 365, or a large multinational corporation sending employee data across, you are affected. Not much is needed to be affected, either: if you do any of the following, you have to re-evaluate and possibly change what you are doing (these are just some examples I recently encountered):

  • Use a Customer Relations Management system hosted at an American provider,
  • Use a gmail, yahoo or hotmail email address for business purposes that involve personal data (data about clients, customers, patients, employees etc.),
  • Use Office 365 for Business,
  • Send personal data of employees from a European subsidiary to headquarters based in the USA,
  • Send personal data of employees from European headquarters to an American subsidiary,
  • etc.

Of course, it is extremely unlikely that privacy regulators will be at your doorstep tomorrow, ready to fine you, if your current data operations are now unlawful due to this judgment. At this point, it is still unclear how national privacy regulators will react, but it would be unreasonable not to have some kind of transition period for companies relying on Safe Harbour for its data transfers to the USA.

At the same time, it would be unwise to totally ignore this development, because at some point privacy regulators in the EU will take action against companies and entities still transferring personal data to the USA based on the now defunct Safe Harbour Agreement. Once the dust has settled a bit and it is clear how the relevant authorities will react to this judgment, I'll post an update with tips on how to proceed. Stay tuned!

This weblog is maintained by Dr. Martin Beckmann LLM. If you discover any inaccuracies, factual errors, other corrections, or questions, please contract him at m.beckmann@beckmann-consult.com or at the contact data listed on our contact page.

© 2013 - 2016 Adviesbureau Beckmann B.V., Eurode-Park 1 - 62, 6461 KB Kerkrade, The Netherlands
KvK / Dutch Chamber of Commerce: 53767373 | Statutaire Zetel / Registered Office: Heerlen
BTW nummer / VAT ID: NL 8510.09.323.B.01
Data Center picture © Gregory Maxwell, distributed under the GNU Free Documentation License v1.2
All other pictures © Dr. Martin Beckmann LLM

We use the WURFL software to provide optimal rendering of this website on mobile devices.
As per the Wurlf license conditions, this software can be downloaded here .