ECJ’s Safe Harbor Decision - What it means for startups

What is the Commission’s US Safe Harbor Decision?

Under the EU Data Protection Directive, personal data may be transferred outside the EU only if the receiving country provides adequate personal data protection – which the European Court of Justice interprets to mean “substantially equivalent” to European standards.

The European Commission was granted the authority to decide whether a particular non-EU country ensures adequate protection “by reason of its domestic law or of the international commitments it has entered into.” The European Commission entered into an agreement called the “Safe Harbor” agreement with the US Department of Commerce based on self-certification. Under this “Safe Harbor” agreement, transfer of personal data from the EU to a US organization was lawful if the US organization receiving the data had unambiguously and publicly disclosed its commitment to complying with the “Safe Harbor Privacy Principles” as set out in the Commission Decision 2000/520/EC of 26 July 2000.

The European Court of Justice has now declared this Safe Harbor Decision invalid because, when making the decision, the European Commission did not sufficiently determine that the US was providing adequate personal data protection and exceeded its authority by depriving national regulators of their supervisory powers and responsibilities.

Consequences for data transfers to the US

The European Court of Justice did not explicitly determine that US laws and regulations do not provide adequate-personal data protection, but the grounds on which the judgment was based indicate that the court assumed that this is not the case. Companies that in the past relied on the Safe Harbor Decision for transferring personal data to US organizations, e.g. cloud services, are therefore facing the question of how personal data can be legally transferred to the USA in the future.

Possible solutions

Generally, there are three ways of addressing this issue: (1) using the standard contract clauses recommended by the European Commission in all agreements, (2) obtaining approval from the person concerned and (3) implementing so called Binding Corporate Rules – BCRs – within companies. When personal data is transferred to a third party, option (3) is not a potential solution, however, as such BCRs do not apply to the receiving organization.

The most common solution currently used for cloud services is option (1) – the use of standard contract clauses. That, however, is insufficient if the receiving country fails to provide certain minimum standards for the protection of personal data because then the receiving organization might be under a legal obligation to disclose the data, e.g. to authorities, even if such disclosure violated the protection provided by standard contract clauses. It is questionable whether the US meets these minimum standards as the Patriot Act gives US authorities, e.g. the NSA, extensive access rights to data on US servers. Moreover, the use of standard contract clauses can be insufficient if an EU-based provider of cloud services is used but this service provider has outsourced the data hosting to third parties that operate servers outside the EU.

Option (2) – obtaining approval from each individual person concerned – is often very difficult and burdensome, and may not be a permanent solution as such approval can be withdrawn at any time. Nevertheless, many companies, e.g. Google, are currently operating with such approval and provide their services only if such approval is granted.

Adding to this uncertainty, the Privacy Commissioner of the city of Hamburg has announced that the city will scrutinize if and to what extent data transfers to the USA will have to be put on hold, regardless of (1) such transfer pursuant to the “Safe Harbor” regime, (2) standard contract clauses, (3) BCRs or (4) approval by the persons concerned.

For the time being, there appears to be no failsafe solution; therefore the issue should remain on the agenda of all companies concerned.