What did the European Court of Justice decide regarding the EU-US Safe Harbor Framework?
On October 6, 2015, the European Court of Justice determined that the 15 year old EU-US Safe Harbor Framework used by over 5,000 firms is invalid and does not provide a legal basis for transfers of personal data from Europe to the U.S.
What is the EU-US Safe Harbor Framework?
The EU-US Safe Harbor Framework was established by the European Commission and the U.S. Department of Commerce in 2000 to facilitate transfers of personal data from the EU to eligible U.S. companies that certify to and comply with the Safe Harbor principles.
Why did the European Court of Justice make this decision?
The court said EU Safe Harbor did not sufficiently protect EU citizens’ personal data since the requirements of American national security, public interest and law enforcement trumped the privacy safeguards contained in the framework. In addition, EU citizens have no means of legal recourse against the misuse of their data in the United States.
What does this mean for businesses?
The decision will have an immediate impact on businesses currently relying on EU Safe Harbor as a basis for transferring data to the US for example through a 3rd party solution like a cloud solution provider or other networks of providers. Unless there is additional guidance immediately provided, which is very unlikely, current arrangements are now likely to be invalid.
Will there be immediate enforcement?
The European Court of Justice ruling invalidating the Safe Harbor is applicable immediately, but enforcement will be up to individual member states which will likely take time. However, it is likely that Mr. Max Schrems who originally brought the case and others like him could now challenge the legality of data transfers in multiple countries.
What impact in the short to medium term?
While a new replacement for Safe Harbor has been under negotiation for the last two year, until it is complete (if ever), the 28 national supervisory authorities could now play a significant role in the transfer of data to the US. This will ensure a lot uncertainty for any business operating within Europe. DLA-Piper has provided a number of excellent blogs that include perspectives from different EU member states including Germany, France, UK, Spain etc.
What recommendations do we have for businesses?
- Fully review all the applicable EU Data Protection laws
Understand the data protections laws and regulations for each country where your data may originate. While there are similarities across EU data protection laws, there can be significant differences in how they are interpreted and enforced. For example, while Safe Harbor has been widely accepted in the UK, it has been criticized in Germany for some time.
- Anonymize Your Data
Investigate leading solutions that deliver the ability to tokenize and or encrypt your data. Tokenization is s the process of substituting a piece of sensitive data element with a random, non-sensitive equivalent, referred to as a token. The token has no extrinsic or exploitable meaning or value. Applications and processes can operate with tokens the same way as they would with the original data. Encryption is the technique used to protect confidential data. The process of encryption encodes messages or information in such a way that only authorized parties can read it. We recommend using only AES 256 Encryption data protections solutions that have been FIPS 140-2 verified.
- Apply Model Clauses
In the form approved by the European Commission. These Model clauses are not flexible and will likely take time to execute, and also are not always feasible due to their pass-through liability and audit requirements.
Check out our Global Compliance Center to learn more: