The European Court of Justice's ("ECJ") top lawyer declared today that the EU-U.S. Safe Harbor regime is invalid. If this advice is adopted by the ECJ, it could have widespread consequences for how data is transferred to, and used by, U.S. companies.
What is the Safe Harbor Regime?
The European Data Protection Directive 95/46/EC prohibits the transfer of personal information relating to EU residents outside of Europe, unless it is being transferred to a jurisdiction that is deemed to ensure adequate protection for such personal information. In July 2000, the European Commission declared that the EU-U.S. Safe Harbor regime did provide adequate protection of personal information and therefore could be relied upon as a legal method of transfer for personal information. Since then many EU organizations have relied upon their U.S. vendors', service providers' or other counterparts' Safe Harbor certification to permit transfers of personal information to the U.S.
So what is the problem?
In recent years there has been mounting pressure on European lawmakers to make changes to the Safe Harbor regime. Concerns have long been expressed within Europe about the impact the U.S. Patriot Act has on the concept of adequate protection of personal information transferred to the U.S., and the widely publicized Edward Snowden revelations in 2013 added significant fuel to that fire. In today's opinion, Advocate General Bot stated that Snowden's revelations expose significant flaws in the Safe Harbor regime, including the fact that personal data transferred under the regime is not adequately protected from unauthorized onward transfer, use, nor access.
Is this a big problem?
Not yet. This is just an opinion and is not yet law. The matter will ultimately be decided by the ECJ in a decision likely to be handed down before the end of the year; however, this opinion will be highly influential.
Note, however, that this issue hasn't arisen in a vacuum. Authorities on both sides of the Atlantic are currently engaged in discussions regarding an updated version of the EU-U.S. Safe Harbor Agreement. We have also seen recently an increase in European companies asking our clients for further contractual assurances over and above Safe Harbor certification.
What should you be doing?
Alternative methods of ensuring adequate protection (and therefore, the legal transfer of personal information to the U.S.) do exist. Examples are: model contract clauses, binding corporate rules, or, in some cases, consent of the data subject. If your company is involved in importing personal information from Europe, you should review your transfer arrangements (contractual and operational) and consider implementing alternative or supplementary compliance mechanisms.
Final thoughts.
The results of this opinion are, in time, going to be significant, but should not be the death knell for Safe Harbor. Safe Harbor is a regime that works well for the vast majority of companies whose need to export personal information to the U.S. is both genuine and highly important to the functioning of their organization. There will be changes to Safe Harbor, which will likely involve significantly more oversight from EU regulators and more stringent controls around third-party access to personal information. As ever, time will tell, but Safe Harbor 2.0 may look very different to what it currently looks like.