European Union Court Finds American Privacy Protection Insufficient; May Impose Severe Restrictions on US-EU Data Transfers
Does your company maintain a database that includes personal information on citizens of the European Union? If so, you are probably able to do so without penalty because of a provision, recognized in European* and American law, that has provided a “safe harbor” for American companies – subject to the Patriot Act, and other American surveillance legislation – under European law. No longer.
In a case released October 6, 2015 by the Court of Justice of the European Union [Maximilian Schrems v. Data Protection] the safe harbor provision that had protected American companies since 2000, was declared invalid.
Mr. Schrems was an Austrian subscriber to Facebook, who objected that the personal information he provided to Facebook in Europe was transferred to servers in the United States, where it was denied privacy protection guaranteed by European law. The Court of Justice agreed with Mr. Schrems, overruled the previous safe harbor decision of the European Commission and directed an immediate review of whether actions should be taken to prevent personal information of EU citizens from being transferred by Facebook to the United States:
the Court declares the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.
Although the decision directly involves Facebook, it will have immediate implications for American companies with European subsidiaries-and vice versa-as well as any American companies maintaining databases that include personal information on EU citizens.
Safe Harbor-certified U.S. companies should immediately review their practices and policies regarding transfers of customer and employee data, as well as data transfers from European subsidiaries to U.S. companies or data servers. In the short-term, it may be possible to revise contracts and corporate data protection rules to comply with EU standards. In the long-term, US and European Union government officials will have to find a solution – and quickly – or risk disruption of the economically essential flow of data between Europe and the United States.
* Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7).
UPDATE: On October 16, 2015, The Article 29 Working Party, the EU committee that advises the European Parliament on privacy protection issues, released a Statement about the Schrems case and its effect, particularly on US companies that previously relied on the protection of “Safe Harbor” certification. The group advises that alternative means of complying with European privacy laws: such as use of Standard Contractual Clauses, and Binding Corporate Rules, are still available to US companies for the time being. However, the statement emphasizes that the overarching privacy concern with data transfers to the United States is “… massive and indiscriminate surveillance…” and “… existing transfer tools are not the solution to this issue.”
As to “Safe Harbor” protection for data transfers, the Statement includes a stern warning:
In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful. (emphasis in the original statement).