The European Court of Justice (the CJEU) held that the Safe Harbor privacy principles for the transfer of data to the US are invalid opening questions on past and future data transfers relying on such data protection rules and calling for immediate actions.
The Safe Harbor privacy principles case
The Safe Harbor privacy principles set out terms under which it is possible to transfer personal data from the European Union to companies based in the United States that committed to complying with such principles. This applies even though the United States is considered to be a country that does not ensure an adequate level of protection to personal data under European Union legislation.
And after the position of the Advocate General on the matter, the European Court of Justice now held that
- an EU supervisory authority has the full power to investigate and suspend the transfer of personal data to the US, irrespective of the EU decision validating the Safe Harbor Principles and
- the European Commission decision approving the Safe Harbor Principles is INVALID as the principles do not ensure a level of personal data protection equivalent to the one guaranteed within the European Union.
The position of the European Court of Justice is mainly based on the fact that the Safe Harbor principles are not binding on public authorities in the US. Such authorities can access data also in circumstances that are not meant to be strictly necessary, so compromising the fundamental rights of individuals of EU citizens and preventing them from even accessing the data processed about them.
What happens NOW to data flows?
The impact of this decision is ground-breaking on businesses causing most organizations to rethink their cross border data transfers (as our colleagues also pointed out here).
The questions that we are receiving from our clients in this “crazy” day include:
- What happens with regard to the processing of data performed so far under the Safe Harbor principle?
- Shall the Safe Harbor certified entities block the future transfer of personal data from the EU?
- Or such entities can further process the data already transferred to the US pursuant to the Safe Harbor principles?
It is important to emphasize that the decision of the European Court of Justice cannot suspend per se data flows to the US as such power is not local data protection supervisory authorities. However, in the light of such a decision, data transfers based on just the Safe Harbor principles are likely to be challenged.
What shall you do RIGHT NOW?
A possible immediate action list to be implemented in the short term by both EU entities transferring data to the US and US entities receiving data from the EU is to
- review the data currently transferred under the Safe Harbor, including agreements with US vendors relying on them;
- limit such data transfers to what is crucial for the business of the company; and
- identify immediate alternative solutions e.g., the implementation of the standard contractual clauses.
What shall you do regarding FUTURE data transfers?
Companies now certainly have to find alternative legal grounds to transfer data to the US e.g., in the short term, the standard contractual clauses, while in the long term, the Binding Corporate Rules might be a better solution.
are we sure that the reasoning of the court cannot be extended to impact also data transfers to the US performed on the basis of the EU Commission Decisions concerning Binding Corporate Rules and Standard Contractual Clauses?
In fact, also in these cases, US public authorities would be authorized to process the transferred data with the consequence that also these decisions might be invalid.
Since the ruling of the European Court of Justice will apply immediately, the practical effect of such a decision would also depend on the actions of the national data protection authorities. However, a due diligence on the modalities in which data are transferred between the EU and the US might minimize the risks for the business.
The position of the Italian data protection authority
The Italian privacy authority already commented on the decision. In brief, Mr. Soro, the chairman of the Italian data protection authority, appreciated the position of the court that requires to protect personal data also towards those processing it outside of the European Union. However, Mr. Soro called for a consistent approach by data protection authorities on the impact of the decision by means of the issue of guidelines on the matter. This would definitely be crucial for companies operating in several EU Member States.