Safe Harbor: how does its revocation affect European companies?

In 1995 the European Union’s Data Protection Directive came into force. It was soon discovered thereafter that the United States did not comply with the Directive’s required levels of security for the international transfer of personal data, prompting the US and EU to reach an agreement known as "Safe Harbor." This agreement was passed in Europe through the Comission Decision 2000/520/ECof 26 July 2000 (hereafter referred to as the “Decision”).

As a result, a platform was created and administered by the US Department of Commerce to inform interested parties on how to adhere to the Safe Harbor principles and comply with all necessary stipulations for international transfer of data. This meant that even if companies were adhering to the agreement on a voluntary basis, the rules were legally binding. The creation of the platform and implementation of Decision 2000/520 is what has been referred to as the Safe Harbor program.

However, in October 2015, the Court of Justice of the European Union (CJEU, responsible for revising, among other things, all Decisions decreed by the European Commission) issued a statement which left the “Safe Harbor” agreement, namely Decision 2000/520, without any legal effect.

In this post, we will examine the legal factors which led to this agreement being discredited as well as the consequences and subsequent recommendations for European companies.

This post is also available in Spanish.

RELATED LEGAL RULINGS

For 15 years, international data transfers among companies and/or entities in the United States adhered to the Safe Harbor program and companies and/or individual initiatives in the European Union were founded on a presumption of adequacy and, therefore,  considered compliant with European regulations regarding privacy and data protection.

However, the CJEU  deemed the agreement invalid after studying an Irish High Court preliminary ruling prompted by activist Maximillian Schrems’ lawsuit against the Irish Data Protection Commission, on the grounds that they failed to file a complaint against Facebook Ireland Ltd. for transferring personal data to servers based in the United States.

Mr. Schrems filed his lawsuit in 2013 and it was supported by revelations made by Edward Snowden about the activities of the US National Security Agency (NSA). The case drew attention to the fact that the American legal system and its practitioners did not guarantee adequate protection and preservation of data being transferred to its territory.

In its sentence, the CJEU cited the fundamentals of COM (2013) 847 issued by the European Commission to the European Parliament and the Council, in which troubling deficiencies in the Safe Harbor program were reported, prompting the following conclusions:

• “It is apparent, in particular, from points 3 to 5 and 8 of Communication COM(2013) 847 final that, in practice, a significant number of certified companies did not comply, or did not comply fully, with the Safe Harbour principles”.
  

• “In addition, the Commission stated in point 7 of Communication COM(2013) 847 final that ‘all companies involved in the PRISM programme [a large-scale intelligence collection programme], and which grant access to US authorities to data stored and processed in the [United States], appear to be Safe Harbour certified’ and that ‘[t]his has made the Safe Harbour scheme one of the conduits through which access is given to US intelligence authorities to collecting personal data initially processed in the [European Union]’.”

As a result, the Commission stated in Article 7.1 of the aforementioned Communication that “a number of legal bases under US law allow large-scale collection and processing of personal data that is stored or otherwise processed [by] companies based in the [United States]’ and that ‘[t]he large-scale nature of these programmes may result in data transferred under Safe Harbour being accessed and further processed by US authorities beyond what is strictly necessary and proportionate to the protection of national security as foreseen under the exception provided in [Decision 2000/520]’."

In addition to the above, it is important to highlight two aspects that stood out to the Court as grounds for invalidating Decision 2000/520:

1. The Court found that when the Commission issued the Safe Harbor decree, it never formally obliged the United States to guarantee an adequate level of protection according to that required by the European Union.
   
   
2. The European Commission, in the Decision, established a high threshold for the conditions necessary for a national authority to be able to intervene in cases involving the protection of privacy, personal freedom and human rights, effectively limiting the role of national supervisory authorities.

LEGAL CONSEQUENCES OF THE SUSPENSION OF SAFE HARBOR

The suspension signifies the cancellation or non-existence of a legal context for the act issued by the Commission. In other words, the elimination of Decision 2000/520 means that there is no formal legal agreement facilitating international transfers of personal data between businesses based in the European Member States and the US.

In the absence of a legally binding Safe Harbor agreement, there must still be a strict adherence to current legislation on international data transfers. The current regulations allow the transfer of personal data in the following cases:

1. Cases in which there is unequivocal user consent.
   
2. Cases in which standard clauses have been implemented.
3. Cases in which Binding Corporate Rules (BCRs) have been implemented.

WHAT IS THE CURRENT SITUATION?

The situation has created a great deal of legal uncertainty, since there is no longer a standard rule related to the provision of Internet cloud services based on the transfer of EU citizens’ personal data to the US, rule that had been laying the foundation for large multinationals’ operations. Although alternative legislation exists, a certain amount of time, management and coordination between entities will be required to reorganize the system.

Despite it being over three months since the Court issued its judgment, a new solution has not yet been reached. Members of the European Commission have begun talks with the US government in order to forge another agreement, but there are no signs that one will be reached any time soon.

In order to reassure the global business community, the European Commission issued COM (2015) 566 final, which states that transfers can continue to be carried out with alternative measures such as standard contract terms and / or binding corporate rules (BCRs) .

On the other hand, the European Data Protection Authorities, through Article 29 Data Protection Working Party issued the following statement: "If at the end of January 2016 a suitable solution has not been reached with the US authorities, the European Data Protection Authorities agree to adopt any necessary and appropriate measures they see fit based on an assessment of transfer measures by the Working Party, and which may include systematic instances of law enforcement."

In Spain from November 2015 onwards, the Spanish Data Protection Agency has initiated a rapprochement with Spanish companies responsible for international transfers of personal data in order to inform them about the decision issued by the European Court of Justice. As these companies must ensure that their suppliers use technological services that adhere to current legislation, many have subsequently contacted their providers to seek agreements or legal solutions. Businesses also have the option to initiate the necessary regulatory compliance on data transfer efforts themselves. If they fail to do so, Spanish companies will be forced to get by without the services offered by American companies (view the letter sent to all data controller companies, in Spanish).

ADVICE FOR EUROPEAN BUSINESSES

Given that the terms specified by the Article 29 Data Protection Working Party are about to expire, and that negotiations with the US could take an indefinite period of time, the following advice is recommended for European companies:

• Ensure providers process and store personal data on servers located exclusively in the European Union.

• If a company processes or stores data in another location, the United States for example, it should have a prior agreement with the service provider (iCloud services), which must include standard contractual clauses validated by the competent data protection authority. For such clauses, the provider should commit to ensuring compliance with European data protection laws by adopting any measures necessary.
  
  The latter does not prevent this particular type of data processing from being considered an international transfer of data. Therefore, the entity responsible for processing the data and wishing to use the cloud provided by servers outside of the EU has a duty to notify the competent data protection authority.

• Obtain the express consent of the user implicated in the transfer process. It is important that the data controller keeps copies of the aforementioned consent whether in written form or digitally, and that the document signed by the users – which would be a text prepared by each business - meets regulatory requirements, with evidence that the user has expressly authorized the international transfer of data. The latter does not, however, eliminate a duty to additionally notify the competent data protection authority of the transfer.

• Use similar services to those provided by companies with servers in the US but whose servers are located in the European Union and comply with guidelines established by the European Union.

Although there are legal options facilitating the international transfer of data between the US and EU, it is important that any entities responsible for data processing first reviews any potential internal non-compliance and takes the necessary measures to mitigate risks or possible sanctions that could be incurred by a breach of international data transfer legislation. Similarly, due to the legal uncertainty caused by the recent Court ruling, it is also advisable that companies heed statements issued by the European Authorities for Data Protection and the European Commission, statements that will be oriented to find a sector-specific solution and that will be probably be reflected in the  future Data Protection Regulation.

This post is also available in Spanish.

This is a guest posts by Ana Martiza Vega Suárez. Ana Maritza is lawyer specialized in new technolgies and intellectual property as well as being the founder of Avatic Abogados. @AnaVegaSuarez @AvaticAbogados

At Signaturit, all client and user data is stored on local servers in countries belonging to the European Union, guaranteeing that the use of our electronic signature solution is in strict compliance with EU regulations. In addition, our personal data security measures are bolstered by the fact that digital signatures are never stored on our platform: they must be executed on the spot for each and every transaction.

If you wish to know more about our electronic signature solution, please download the following white paper. You can also contact us directly by dialling +34 935 511 480.

RELATED POSTS

• Electronic signature legislation in the United States: UETA Act and E-Sign Act.

Notes:
1. The Data Protection Directive, officially Directive 95/46/EC of October 24 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, according to the EU website. 
2. The information is transcribed in the terms used by the Court.
3. 2001/497/EC: Commission Decision of 15 June 2001 and 2004/915 / EC of 27 December 2004, amending the previous and the European Commission Decision 2010/87 / EU of 5 February 2010. In Spain, international data transfers are governed by Articles 33 and 34 of Law 15/1999 of 13 December on the protection of personal data (LOPD) and Title VI of the regulation implementing the Organic Law of Protection of Personal Data, approved by Royal Decree 1720/2007 of December 21.