Today, the European Court of Justice (“ECJ”) handed down a preliminary ruling in the Schrems case. The Schrems argued that the U.S. government’s alleged access to the personal data of EU citizens collected by Facebook meant that Facebook did not provide adequate protection for the personal data of EU citizens. The ECJ finds in this preliminary ruling that the EU-U.S. Safe Harbor Framework is no longer a valid mechanism to establish adequacy for European companies to transfer personal information to U.S. companies.
The ECJ followed the Advocate General’s (“AG’s”) opinion issued on September 23, 2015, that recommended that the ECJ completely invalidate the Safe Harbor. This ruling may directly and substantially affect how U.S. businesses will interact with European businesses, including their affiliated entities and service providers. The decision is largely driven by concerns in the EU that, under U.S. law, enforcement authorities will have access to personal data of EU citizens for U.S. national security programs. What is ironic, however, is that any exposure to surveillance by the U.S. government is not unique to companies that use the Safe Harbor, but also applies to companies that rely on other compliance methods (such as binding corporate rules or model clause contracts). Therefore, this groundbreaking move to invalidate the negotiated Safe Harbor mechanism in place since 2000, potentially, may call into question other data transfer mechanisms currently in place. The decision opens the door for both individuals and the privacy authorities in EU Member States to challenge other adequacy findings and programs established by the European Commission. U.S. companies may well face increased scrutiny from privacy advocates and EU regulators.
Over 4000 U.S. companies have relied on the Safe Harbor to authorize their transfers of personal data from the EU to the U.S. It is worth noting that the European Commission and the U.S. have been negotiating amendments and/or alternatives to the Safe Harbor. This preliminary ruling may impact those negotiations and delay implementation of a new version of the Safe Harbor for U.S. companies. At a minimum, U.S. companies can expect to face more scrutiny from EU regulators.
U.S. companies now face a period of increased uncertainty regarding the transfer of personal data from the EU. Together with their counsel, U.S. businesses will need to evaluate the types and amounts of data, country of origin and data flows to determine what mechanisms to use for transfers of personal data from the EU to the U.S. We are ready to assist in helping companies to identify and implement appropriate measures to allow for the transfer of personal data between the EU and the U.S.