October 28, 2015-
European Court Invalidates U.S.-EU Safe Harbor, Transfer of European Personal Data to U.S. Now Unlawful Without Additional Safeguards
On October 6, 2015, the Court of Justice of the European Union (CJEU) (the EU’s highest court) invalidated the U.S.-EU Safe Harbor framework that has defined the privacy standards for transfer of personal data from the EU to the U.S. since 2000. European law prohibits transfer of European citizens’ personal data to other countries unless those countries guarantee adequate levels of protection. The U.S. Department of Commerce (Federal Trade Commission) and European Commission jointly developed and sanctioned the Safe Harbor framework as a compliant standard for transfer of European personal data, and thousands of organizations have relied on the Safe Harbor framework to craft data privacy practices and policies. Now, according to a recent EU advisory statement, “transfers that are still taking place under the Safe Harbor decision after the CJEU judgment are unlawful.”
The CJEU’s decision stems from a case brought by an Austrian national against Facebook in Ireland (the site of Facebook’s international headquarters), alleging that the Safe Harbor failed to protect European citizens’ privacy rights in light of large-scale U.S. intelligence surveillance activities revealed by Edward Snowden in 2013. A full text of the ruling is available here. As a result of the decision, multi-national companies, even those that have self-certified using the FTC’s form, can be found liable for violating the EU’s directive and the various data privacy laws of individual European nations. This affects both intra-organizational data transfers and transfers to third party service providers involving the personal data of EU citizens.
While the FTC has acknowledged the decision, it recently issued an advisory stating that it would continue to process submissions for Safe Harbor self-certification. It is not certain what, if any, benefit self-certification will now provide. To avoid the risk of liability, multi-national companies that continue to transfer and process European citizens’ personal data may need to use Standard Contractual Clauses for each transfer, adopt EU approved Binding Corporate Rules or obtain other authorization. Without these safeguards, companies risk exposure to legal action resulting in monetary fines and/or prohibition on data transfers from the EU to the U.S. Companies that have relied on the Safe Harbor to transfer European personal data to the U.S. are invited to contact us to discuss alternative measures for compliance.
For additional information and discussion on this topic, please get in touch with your regular Calfee contact or one of the attorneys listed below:
This alert is provided by Calfee, Halter & Griswold LLP for education and information purposes only. This alert is not intended to provide legal advice on specific subjects. The resolution of legal issues depends upon the specific facts of a particular situation and the laws involved and prior results do not guarantee a similar outcome. This alert may be considered advertising under applicable laws. Some links within this alert may lead to web sites. Calfee, Halter & Griswold LLP does not necessarily sponsor, endorse or otherwise approve of the materials appearing in such sites. All trademarks and copyrighted material are the property of their respective owners and the use of such material in this alert, articles, or by Calfee, Halter & Griswold LLP is for informational purposes only and does not indicate sponsorship or endorsement by the trademark or copyright holder of either Calfee or the content of this alert.