Wednesday, October 7, 2015

Cross-Border Data Flows after EU Invalidation of EU-US Safe Harbor Agreement

Stop the presses!  On October 6, 2015, the European Court of Justice invalidated the July 26, 2000 international agreement between the European Union (EU) and the United States called the “Safe Harbor” agreement.  The case, Schrems v. Facebook, Inc., arises from a complaint by an Austrian national concerned about the protection of his personal data held in the U.S. by Facebook in the wake of the 2013 disclosures by Edward Snowden regarding the sharing of personal data stored by Facebook and others with U.S. intelligence.

This decision could have a huge impact on all U.S. Internet-based businesses, all multinational businesses that collect data from EU individuals.  It may require reworking and new contracts for data center management, collection and data analytics that uses EU Big Data, social and mobile websites.

Under the Safe Harbor Agreement, U.S. companies and their EU affiliates could freely exchange EU “personal data” (concerning individuals residing in the EU), even if the U.S. did not have “adequate protection” to comply with the EU Data Protection Directive of 1995.  The Safe Harbor only required that the U.S. companies enter into an agreement with their foreign affiliates to comply with EU Data Protection mandates and to file the agreement with the U.S. Department of Commerce.

The EU Court invalidated the Safe Harbor Agreement for several reasons. The Safe Harbor Agreement fails to comply with the EU Data Protection Directive’s rules that:

  • the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data;
  • The EU Commission has not made a finding that the U.S. ensures an adequate level of protection by reason of its domestic law or its international commitments; and
  • The U.S. has not designated any public authorities (“data protection authority”) responsible for monitoring the application within its territory of the local “national provisions” adopted on the basis of the EU directive.

Considering a potential conflict of laws between the U.S. and the European Union, in the Court’s press release No. 117/15:
the Court observes that the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.
As a result, cross-border data transmission from the EU to the US could be prohibited without new U.S. federal legislation equivalent to the EU Data Protection Directive.   This will prevent social media like Facebook, data brokers, credit card companies, and consumer goods websites from storing EU personal data in the U.S.  Data stored in computers in the EU will be under the jurisdiction of EU courts.

This decision underscores the importance of a strong digital compliance program to cover not just personal data, but also digital business records.  It’s time to review your policies, procedures, roles and responsibilities, and business models.  It’s a whole new digital world!