ECJ states ‘Safe Harbour is invalid’ – How to act

On the 6th of October, the European Court of Justice (ECJ) published a court ruling that could potentially have implications for organisations transferring data to the US. The ECJ has ruled that the Safe Harbour agreement is overruled by the national data protection authorities and is thus invalid.

This is a result of the case against Facebook in Ireland, raised by an Austrian privacy activist. The privacy activist raised a complaint with the Irish data protection authority claiming that Facebook, which has its European headquarters in Ireland, does not protect his and others’ privacy, when data is transferred to Facebook’s servers in the US. The Irish data protection authority rejected the complaint on the ground of the ‘Safe Harbour’ decision by the European commission of July 2000, in which it was decided that the US ensures an adequate level of protection of the personal data being transferred.

What is the Safe Harbour agreement?

Safe Harbour is an agreement between the US and European Union, legalising the transfer of privacy sensitive data between both regions. Safe Harbour has been brought in place to combine different rulings concerning data in the US and Europe, saving time on determining the applicable legal framework for every separate case.

The foundation for ECJ to rule the Safe Harbour agreement invalid is that US public authorities themselves are not subject to the agreement. The US government is legally allowed to demand access to data stored in datacentres, even those located in Europe, as long as these datacentres belong to US companies.

What are the consequences?

Safe Harbour can no longer be used as an agreement to legalise the transfer of privacy sensitive data to the US or US companies. In addition, the court ruling implies that any country can pose its own laws and regulations regarding data transfers to the US, to which organisations would have to comply. This would require changes to current and future contracts, following the countries’ specific laws and regulations. Besides that, the role of the data privacy regulations intensifies, since any citizen can file a report claiming their privacy is being violated. Pointing citizens to the Safe Harbour agreement is no longer relevant. Lastly, data protection authorities could, case based, even decide to prohibit the transfer of data to the US.

The College Bescherming Persoonsgegevens (CBP) announced not to directly prohibit any current data transfers. The CBP explained their next step to be aligning with other data protection authorities in Europe and to reach an agreement. Therefore, the direct legal consequences of this court ruling seem limited, it’s highly improbable that data transfers to US will be actively prohibited on the short term. Besides that, the Safe Harbour agreement was not considered by most organisations to provide relevant guarantees for data protection, as part of a risk mitigation strategy.

…and now what to do?

The court ruling highlights the importance of data privacy and the legal challenges around cloud usage. Therefore organisations should consider the following aspects.

  • Perform privacy impact assessments to determine the privacy risks of data transfers to the US and the impact on your organisation.
  • Perform risk assessments to determine the actual risk of cloud usage and adoption, and the required risk mitigations.
  • Gather and incorporate the legal requirements regarding cloud services into cloud adoption processes (e.g. data processing agreements).
  • Challenge cloud service providers on their intends to support compliance to changes to laws and regulations (e.g. GDPR).

To deal specifically with data transfers to the US, it is important to cover data protection in contracts with cloud service providers and other outsourcing parties. Organisations should opt for using data processing agreements covering EU model clauses with cloud service providers. The EU model clauses enable organisations to comply with the current EU’s Data Protection Directive regarding cross-border transfers of personal data.

This court ruling displays the focus on data privacy within Europe and the need for well aligned laws and regulations for European countries. The upcoming GDPR could be very valuable in providing a clearer legal framework to which all European organisations should comply. Organisations should use this momentum and become prepared for upcoming changes.

Dit artikel is tot stand gekomen in samenwerking met KPMG IPS