Europe’s top court ruled against a safe harbor agreement that has allowed companies to move people’s digital data between the European Union and the United States, leaving businesses with operations in both regions in legal limbo.

The EU and US have been in talks to establish newer data protection laws, but no agreement has been finalized.

“This ruling was anticipated, so many international staffing firms will have contingency plans in place,” said Fiona Coombe, Staffing Industry Analysts’ director of legal and regulatory research. “However these may take some time to effect and in the meantime companies that do transfer data from EU member states need to understand what the regulators in those states intend to do.”

Law firm Osborne Clarke has outlined the case and implications for businesses:

The CaseCase C-362/14 Maximillian Schrems v Data Protection Commissioner

In 2013, former CIA analyst Edward Snowden leaked details of mass surveillance activities of European individuals undertaken by US authorities, which were widely viewed as violating European rules. In the wake of these revelations, privacy activist Maximilian Schrems complained to the Irish Data Protection Commissioner (Irish DPC) about the transfer of data from Facebook Ireland to servers in the US.

Schrems argued that US authorities’ access to users’ personal data meant that Facebook did not ensure an adequate level of protection as required by European law and he asked the Irish DPC to investigate. This was refused as the transfer was made under safe harbor — a mechanism for EU-US data transfers that the European Commission had already deemed to be adequate.

Schrems appealed the decision to the Irish High Court, which asked the CJEU whether national data protection authorities are bound by adequacy decisions of the European Commission or whether they may and/or must conduct their own investigations in certain circumstances.

The CJEU has decided that:

  • Safe harbor is invalid;
  • Mass and indiscriminate surveillance activities by US authorities is a violation of the Data Protection Directive and the fundamental rights afforded to European citizens under the Charter of Fundamental Rights of the EU; and
  • A data protection regulator must be able to exercise its independence to suspend a transfer if it finds that the protections offered to European individuals are inadequate — i.e., it is not necessarily bound by a European Commission decision of adequacy.

In response, the Commission has already confirmed that negotiations with the US for a “safer” safe harbor framework will continue. It is also committed to working together with the Article 29 Working Party and the national data protection authorities to achieve a uniform application of the CJEU’s decision across EU Member States.

What this means for companies

Businesses that have previously relied on safe harbor to ensure an adequate level of protection face an uncertain period during which they will need to adopt alternative solutions.

Regulators are likely to require robust evidence that data is being protected and will very likely demand additional protective measures be put in place for data transfers to the US — such as Binding Corporate Rules (for intra-group transfers) or European Commission approved model clauses — at least until a new safe harbor framework is agreed.