Tag Archives: safe harbor

Eduardo Ustaran: Life after Safe Harbor – an action plan

In this piece that originally appeared in the Internet Newsletter for Lawyers, ,  partner at Hogan Lovells, considers the implications of the CJEU’s recent decision in the Schrems case and sets out an action plan for companies previously reliant on Safe Harbor for EU to US transfers 

On 6 October 2015, the Court of Justice of the European Union (CJEU) declared the EU–US Safe Harbor framework invalid as a mechanism to legitimise transfers of personal data from the EU to the US. This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful and could have serious implications for transfers of personal data both within multinationals and to global service providers.


Safe Harbor was jointly devised by the European Commission and the US Department of Commerce as a framework that would allow US-based organisations to overcome the restrictions on transfers of personal data from the EU. However, since its adoption, Safe Harbor was fraught with challenges. Although the data protection requirements set out in the Safe Harbor Privacy Principles were meant to match the standards of protection of European law, its self-certification nature and the non-European style of its provisions have attracted much criticism over the years. In particular, the revelations triggered by Edward Snowden in 2013 about the US intelligence surveillance operations led the European Parliament to adopt a resolution seeking its immediate suspension. The European Commission had no choice but to reopen the dialogue with the US government to find a way of strengthening the framework and restoring its credibility.

The Schrems case

One particular individual, Austrian law student Max Schrems, decided not to wait for the outcome of the re-negotiation of Safe Harbor. He lodged a complaint with the Irish Data Protection Commissioner requesting the termination of any transfers of personal data by Facebook Ireland to the USA. However, the Irish Commissioner rejected the complaint on the basis that the adequacy of Safe Harbor had already been determined by the European Commission and therefore, it was not open to the Irish Commissioner to challenge the European Commission’s “adequacy finding”. This was not accepted by Schrems who sought judicial review of the Commissioner’s decision by the High Court of Ireland, which then referred the case to the CJEU.

In its ruling, the CJEU confirms that a national data protection authority is always empowered to challenge the adequacy of data transfers. More importantly, the ruling goes beyond this specific question by declaring that Safe Harbor does not in fact provide an adequate level of data protection, because it is unable to prevent large-scale access by the US intelligence authorities to data transferred from Europe.

The practical effect of Schrems

The decision invalidating Safe Harbor has the following immediate consequences:

  • Transfers of personal data from the EU to the US currently covered by Safe Harbor will be unlawful unless they are suitably authorised by data protection authorities or fit within one of the legal exemptions.
  • Multinationals relying on Safe Harbor as an intra-group compliance tool to legitimise data transfers from EU subsidiaries to their US parent company or other US-based entities within their corporate group will need to implement an alternative mechanism.
  • US-based service providers certified under Safe Harbor to receive data from European customers will need to provide alternative guarantees for those customers to engage their services lawfully.

It is also critical to appreciate that the CJEU did not rule on whether the Safe Harbor principles were sufficiently close to the European data protection standards. The CJEU ruled that Safe Harbor is no longer a valid mechanism to legitimise data transfers because it does nothing to address the potentially excessive interference of US law with the fundamental rights to privacy and data protection that exist under EU law. Therefore, any alternative mechanisms being relied on will need to address this specific point by ensuring that they refer to this potential conflict in a data protection compliant way.


Data transfers can lawfully be made with the consent of the individual. However, consent must be freely given and while it is possible to make consent a condition for the provision of a non-essential service, consent is unlikely to be valid if the individual has no real choice. This is particularly the case in the context of employment where, if an existing employee is required to agree to the international transfer of personal data any consent given is unlikely to be valid if the penalty for not agreeing is dismissal.

Consent must also be specific and informed. This means that the individual must know and understand what such consent will amount to. Individuals should be informed of the reasons for the transfer and, if possible, the countries involved. In addition, any identified risks involved in the transfer should be brought to the individual’s attention. As a result, in practice it will be very difficult to make a valid argument that consent provides a lawful basis to legitimise international data transfers.

The EU authorities’ position

The EU Article 29 Working Party issued a statement following the CJEU decision emphasising that affected businesses should start to put in place legal and technical solutions in a timely manner to meet EU data protection standards. The statement gave a January 2016 deadline for companies to come into compliance with the ruling, at which point EU data protection authorities would be “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”

Therefore, the EU data protection authorities have made it clear that they expect companies to ensure an adequate level of protection for European data at all times. In the meantime, the Working Party will continue to analyse the available transfer tools, such as the Standard Contractual Clauses and Binding Corporate Rules, but these transfer mechanisms can be subject to investigation by data protection authorities to protect individuals in “particular cases,” for instance on the basis of complaints.

Action plan

Before the January 2016 enforcement deadline, companies that previously relied on Safe Harbor for their EU to US transfers should follow this process:

  • Carry out a data transfers assessment to identify which data transfers from the EU to the US had been legitimised by Safe Harbor.
  • Prioritise key transfers for the business by reference to the nature of the data and its use.
  • For intra-group transfers, identify all of the entities involved and assess the most suitable alternative to Safe Harbor. In the short term, this is likely to involve an interim contractual solution whilst more permanent mechanisms – such as BCR – are considered.
  • For transfers to service providers, review any existing contracts for references to Safe Harbor and determine whether the relevant vendor is offering a suitable contractual option or is able to rely on a Processor BCR.
  • US-based service providers should consider the most appropriate legal mechanism to enable customers to continue to use their services lawfully.
  • Finally, whatever the mechanisms used, ensure that they include suitable measures to deal with requests for disclosure of personal data by law enforcement authorities.

Eduardo Ustaran is a partner in the Privacy and Information Management practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email eduardo.ustaran@hoganlovells.com. Twitter @EUstaran. This piece originally appeared on the Internet Newsletter for Lawyers and is shared with the author and publisher’s permission.

Lorna Woods: Safe Harbour – Key Aspects of the ECJ Ruling

On Tuesday (6 October) the Court of Justice of the European Union (ECJ) declared that the Safe Harbour agreement that allows the movement of digital data between the EU and the US was invalid. The case was brought by Max Schrems, an Austrian student and privacy campaigner who, in the wake of the Snowden revelations of mass surveillance, challenged the way in which technology companies such as Facebook transferred data to the US. In this guest post, which originally appeared on the LSE Media Policy Project blog, Professor Lorna Woods of the University of Essex explains some key aspects of the judgment.

This case arises from a challenge to the transfer of personal data from the EU (via Ireland) to the United States, which relied on a Commission Decision 2000/520 stating that the Safe Harbour system in place in the United States was ‘adequate’ as permitted by Article 25 Data Protection Directive. While the national case challenged this assessment, the view of the Irish data protection authority (DPA) was that it had no freedom to make any other decision – despite the fact that the Irish authorities and courts were of the view the system did not meet the standards of the Irish constitution – because the European Commission decision was binding on them. The question of the validity and status of the Decision were referred to the Court of Justice of the European Union (ECJ).

The Advocate General, a senior ECJ official who advises on cases, took the view that the Commission’s decision could not limit the powers of DPAs granted under the directive and that the US system was inadequate, particularly as regards the safeguards against mass surveillance (a more detailed review of the AG’s Opinion can be found here). The ECJ has now ruled, following very swiftly on from the Opinion. The headline: the Commission’s decision is invalid. There is more to the judgment than this.

Powers of DPAs and Competence

The ECJ emphasised that the Commission cannot limit the powers granted by the Data Protection Directive, but at the same time Commission decisions are binding and benefit from a presumption of legality. Nonetheless, especially given the importance of the rights, individuals should have the right to be able to complain and ask a DPA to investigate. DPAs remain responsible for oversight of data processing on their territory, which includes the transfer of personal data outside the EU. The ECJ resolves this conundrum by distinguishing between the right and power of investigation and challenge to Commission decisions, and the declaration of such decisions’ invalidity. While the former remains with DPAs, the latter – following longstanding jurisprudence, remains with the ECJ.

Validity of Decision 2000/520

The ECJ noted that there is no definition of what is required by way of protection for the purposes of Article 25 of the Data Protection Directive. According to the ECJ, there were two aspects to be derived from the text of Article 25. There is the requirement that protection be ‘adequate’ in Article 25(1) and the fact that Article 25(6) refers to the fact that protection must be ensured. The ECJ agreed with the Advocate General that this Article is ‘intended to ensure that the high level of that protection continues where personal data is transferred to a third country’ (para [72], citing the Advocate’s General’s Opinion para [139]), which seems higher than ‘adequate’ might at first suggest. That requirement does not however mean that protection in third (non-EU) countries must be identical but rather that it is equivalent (para 73]) and effective (para [74]). This implies an on-going assessment of the rules and their operation in practice, where the Commission has very limited room for discretion.

The Court concluded that the Decision was unsound. It did so on the basis that mass surveillance is unacceptable, that there was no legal redress and that the decision did not look at the effectiveness of enforcement. It steered clear of determining whether the self-certification system itself could ever be fit for purpose, basing its reasoning on only elements of the Commission’s decision (but which were so linked with the rest that their demise meant the entire decision fell).


This is a judgment with very far reaching implications, not just for governments but for companies the business model of which is based on data flows. It reiterates the significance of data protection as a human right, and underlines that protection must be at a high level. In this, the ECJ is building a consistent line of case law – and case law that deals not just with mass surveillance (Digital Rights Ireland) but activities by companies (Google Spain) and private individuals (Rynes).

At a practical level, what happens today with the Decision declared invalid? Going forward, will there be more challenges looking not just at mass surveillance but at big data businesses self-certifying? What will happen to uniformity in the EU? Different Member States may well take different views. This should also be understood against the Weltimmo judgment of last week, according to which more than one Member State could have the competence to regulate a multinational business (irrespective of where that business has its registered office in the EU). Finally, what does this mean for the negotiation of the Data Protection Regulation? The political institutions had agreed that the Regulation would not offer lower protection than the Data Protection Directive, but now we might have to examine this directive more closely.