- Safe Harbor Invalidated - What’s Next on the Chopping Block?
- October 12, 2015
- Law Firm: Mintz Levin Cohn Ferris Glovsky Popeo P.C. - Boston Office
- As I reported earlier today, the Court of Justice of the EU (ECJ) has declared Safe Harbor invalid.
There are two key elements of the ECJ’s decision. The first is that national data protection authorities in the EEA are authorized - indeed, required - to hear complaints from individuals with regard to the transfer of their personal data outside of the EEA regardless of whether the Commission has issued an adequacy decision. The second is a determination that the Commission’s adequacy decision concerning Safe Harbor is invalid. Period. It’s gone.
Most US companies that rely solely on Safe Harbor will initially focus on the second part of the decision invalidating Safe Harbor. That makes sense, because if Safe Harbor is your company’s only basis for legitimizing the transfer of personal data from the EEA to the US, your company is likely in violation of various contracts and, if your company is the data controller responsible for the transfer or otherwise directly subject to European data protection laws, it’s probably in violation of European data protection laws. Near-term consequences? The possibilities include:
- termination of contracts and exposure to damages
- customer complaints to your company
- customer complaints against your company made to local Data Protection Authorities (DPAs)
- employee complaints (although rather less likely than customer complaints)
- loss of potential new business in Europe
- orders and injunctions issued by DPAs that force your company to stop transferring personal data
- (and no doubt you can add your own parade of horribles here . . . such as lost time of your General Counsel, your head of IT systems, head of consumer services and other senior executives, possibly a need for extensive data audits, and so on)
A few days ago, some commentators suggested that Safe Harbor II would save Safe Harbor-dependent companies because it would remedy the faults that the ECJ might find with the original Safe Harbor. But now we know that even if the Commission endorses a Safe Harbor II, it can be attacked on a country-by-country basis. Furthermore, the ECJ has effectively raised the bar for Safe Harbor II - in future judicial assessments of Commission decisions, the ECJ will take a strict approach to reviewing such decisions (see Para. 78 of Schrems). To achieve a Safe Harbor II that meets the ECJ’s stringent requirements, the Commission will, effectively, need to “ensure” that the US’s national security laws don’t allow the gathering of data beyond that strictly necessary to achieve their objectives (that is, objectives that the ECJ thinks are legitimate) and contain adequate safeguards for EEA individuals. Taken in its strongest form, this could include a right to know their data has been processed by intelligence services, a right to find out what data has been gathered about them, and a right to have incorrect or incomplete data rectified (see Para. 90 of Schrems), all of which would be, to say the least, in tension with the fundamentals of intelligence work.
This all sounds a bit grim, doesn’t it? There are alternatives to Safe Harbor, although they have their own challenges.