- US/EU Safe Harbor Invalidated: Time for Model Contracts and Binding Corporate Rules
- October 20, 2015 | Authors: Diane D. Reynolds; Neal R. Roach
- Law Firm: Taft Stettinius & Hollister LLP - Cincinnati Office
- The agreement that allowed the transfer of personal data between businesses in the United States and the European Union was invalidated by the European Court of Justice on Oct. 6, 2015. This “safe harbor” agreement had been in place since 2000. The court’s decision throws into doubt the data collection and transfer practices of countless U.S. businesses.
The safe harbor agreement was necessary because under the EU Data Protection Directive the U.S. is not considered to be a country with adequate data protection laws. The safe harbor agreement set up a framework through which a U.S. company could self-certify with the U.S. Department of Commerce that its data protection policies met the threshold required to protect EU citizens’ data.
The court’s decision came about as a result of the disclosures by Edward Snowden of the U.S. National Security Agency surveillance programs. Revelations that the U.S. government collected information directly from U.S. companies such as Facebook, Google, AT&T and others led to an EU citizen requesting that the safe harbor framework be re-examined. The case specifically related to Facebook, whose EU operations are based in Ireland. The case requested that the Irish Data Protection Authority examine whether the safe harbor system was still effective at protecting EU citizens' data. The Irish Data Protection Authority decided that it could not investigate the matter. Since Facebook’s data collection policies were compliant with the safe harbor, the Irish Data Protection Authority did not have jurisdiction to investigate. On appeal, however, the European Court of Justice determined that the safe harbor framework is insufficient to protect EU citizens and is thus invalid.
The U.S. and the EU have been negotiating a new safe harbor arrangement for over two years, but no agreement has been reached. In the short term, the European Court of Justice’s decision means that U.S. companies will have to address the transfer of personal information through model contracts or binding corporate rules. Model contracts are binding contracts stating that anyone outside the EU will commit to the same level of protection as the EU Data Protection Directive. Binding corporate rules enable multinational companies to move data between the U.S. and EU companies.