On October 6, the European Court of Justice released an opinion that will have a significant effect on many companies which do business in the EU and transfer information to United States operations. In Schrems v. Data Protection Commissioner, the Court held that the EU-U.S. Safe Harbor Agreement does not preempt the data protection authorities in the respective EU member states from reviewing the legality of the transfer of personal data from the EU to the U.S. This will likely complicate the flow of customer and human resources data from the EU to the U.S.
Background on EU Approach to Privacy. The EU adopted the Data Privacy Directive in 1995. The EU Data Privacy Directive is sweeping — it applies to all sectors of the economy. In contrast, the U.S. has taken a more lenient, sector-by-sector approach to data privacy. This relative weakness of U.S. data privacy law caused the EU and U.S. to negotiate a Safe Harbor Agreement. The Safe Harbor Agreement subjected U.S. companies to stronger privacy rules (i.e., similar to the EU Data Privacy Directive). Although these rules imposed additional obligations on U.S. companies, the companies were willing to comply with the more-stringent rules in order to allow for the free flow of data from the EU to the U.S.
One important provision of the Directive of particular interest to U.S. companies with subsidiaries or business partners in the EU is the prohibition on transfers of personal data from the EU to the U.S. — even when such transfers are between affiliated companies. The Directive requires the member states to prohibit such transfers unless the U.S. “ensures an adequate level of protection.” (Article 26(1)) In light of the business realities of doing business in the U.S. and the EU, and the compliance costs of seeking approval from 28 different national data protection authorities, the Data Privacy Directive allows the European Commission to determine whether the U.S. “ensures an adequate level of protection … by reason of its domestic law or of the international commitments it has entered into.” (Article 26(6)) The Commission relied on this authority in 1998 when it entered into the Safe Harbor Agreement with the U.S. Department of Commerce.
Safe Harbor Agreement Challenged.The Safe Harbor Agreement was challenged by an Austrian Facebook user. The user complained that the transfer of his personal data by Facebook to the U.S. violated his fundamental rights. The user claimed that the U.S. did not ensure “adequate protection” of his information. As evidence of this the user pointed to the activities of the U.S. National Security Agency and the revelations of Edward Snowden. The Court agreed with the user, holding that the Safe Harbor Agreement in its current format is invalid because it violates the human rights of EU citizens whose personal data is transferred from the EU to the U.S. Unfortunately, the Court made the decision immediately effective. This means companies which rely on the Safe Harbor Agreement must immediately review the situation and their options.
Consequences. The first consequence of this case is that U.S. companies relying on the Safe Harbor to transfer data from the EU to the U.S. will have to rely on one of the other methods for transferring personal data to the U.S. Other options are available, but they will likely take some time to implement — they cannot be accomplished overnight. For a discussion of the various options, see Chapter 11 of EU Business Law (2015). To determine whether your company has certified under the Safe Harbor, click here.
We expect the U.S. and the EU to re-engage in negotiations to fine tune the existing Safe Harbor. Although the European Court of Justice declared it invalid, the problem was not with the concept, but rather the lack of procedural safeguards in the Safe Harbor. With some modifications, the Safe Harbor might adequately protect the fundamental rights of the EU citizens whose data is being transferred to the U.S.
We further expect that the discussions over a modified Safe Harbor will be linked to the umbrella agreement signed on September 8, 2015 between the EU and the U.S. giving EU citizens the right to sue in the U.S. for data privacy violations. As we indicated in our blog of September 17, 2015, the Snowden revelations led to high-level diplomatic discussions between the U.S. and the EU on establishing a data protection framework for EU-U.S. law enforcement cooperation. The agreement which was reached last month still needs to be approved by the U.S. Congress as well as the European Parliament and Council. We anticipate that the decision of the Court in Schrems v. Data Protection Commissioner will cause the U.S. and the EU to work out a package solution which recognizes the need to transfer data between the EU and the U.S. without significant compliance burdens. In the meantime, however, U.S. companies will have to consider alternative ways to transfer data from the EU to the U.S.
The Court’s decision will also have implications in other areas. For example, the Securities and Exchange Commission (SEC) recently finalized new “pay ratio” rules which require U.S. public companies to disclose total CEO compensation, total compensation of the company’s median employee and the ratio of the two. Non-U.S. employees (for example, employees in the EU) generally must be included when determining the median employee compensation. So U.S. companies may experience some difficulty in transferring the needed data from the EU to the U.S. to comply with this new rule. However, some exceptions exist and they may be helpful here, if it is not legally possible to transfer the information.