On 1st October GL Law merged with national law firm Shakespeare Martineau as part of an exciting growth plan. To find out more read the full story here. If you have any urgent queries please reach out to your usual contact, email, or call 0117 906 9400.

Home > News > European Court raises the anchor on Safe Harbour

European Court raises the anchor on Safe Harbour

14 October 2015 |


On 6 October 2015 the Court of Justice of the European Union (CJEU), Europe’s highest court, ruled that a decision of the European Commission in 2000, which attempted to legitimise transfers of personal data from European organisations to US organisations (Safe Harbour Decision), is invalid.

What was the Safe Harbour Decision about?

The eighth principle of the EU Data Protection Directive 1995 (Directive), which was implemented into UK law by the Data Protection Act 1998, prohibits European businesses and organisations which are classed as “data controllers” under the Directive (Data Controllers) from transferring data which personally identifies living individuals (Personal Data) outside of the European Economic Area, except to countries which ensure an “adequate level of protection for the rights and freedoms of [individuals] in relation to the processing of personal data” (Eighth Principle).

There was some concern that the US approach towards privacy and data protection did not accord with that of the EU and, therefore, transfers from Data Controllers to US organisations would not comply with the Eighth Principle. In order to “bridge these differences in approach”, the European Commission and US Department of Commerce developed a safe harbour framework which would make it easier for US organisations to comply with the Eighth Principle before self-certifying compliance.

The Safe Harbour Decision (as opposed to agreement, which is a common reporting error) formally recognised the validity of this framework thereby making it easier for Data Controllers to transfer Personal Data to US organisations which self-certified and whose details were published on the EU-US Safe Harbour List (Listed Organisations). If a Listed Organisation failed to comply with its commitments under the safe harbour framework, the US Federal Trade Commission was given the power to levy penalties of up to $16,000 per day for violations and persistent offenders would be removed from the list.

Why was the Safe Harbour Decision challenged?

The Snowden Revelations in 2013 lifted the lid on mass surveillance of Personal Data belonging to EU citizens by the US intelligence agencies and the apparent willingness of Listed Organisations in sharing Personal Data with those agencies indiscriminately. This created a perfect storm of concern for the rights of EU citizens under the Safe Harbour Decision.

An Austrian law student and privacy activist by the name of Max Schrems founded a group called Europe v. Facebook, which invited the Irish Data Protection Commissioner (DPC) to investigate the transfer of Personal Data between Facebook Ireland Ltd (a Data Controller) and Facebook Inc. in the US under the Safe Harbour Decision (though, interestingly, Facebook chose not get involved with the case). When the DPC rejected the complaint, the Irish High Court, which sided with Max Schrems, referred various points of law to the CJEU.

What did the CJEU rule?

The CJEU ruled that:

  1. the Safe Harbour Decision did not mean that data protection regulators, such as the DPC, should compromise their independence and turn a blind eye to questions of whether the transfer of Personal Data to the US adhered to the principles and standards in the Directive;
  2. mass surveillance of the kind uncovered by Snowden was directly opposed to the fundamental rights of EU citizens in respect of their Personal Data; and
  3. the Safe Harbour Decision was therefore invalid on the basis that US intelligence agencies and national security interests were given priority over the principles established by the Safe Harbour Decision. The Safe Harbour Decision did not extend to the US intelligence agencies.

Was the ruling a surprise?

Not really. The Irish High Court commented that “only the naïve or the credulous could really have been greatly surprised over these mass forms of surveillance.” Furthermore, the European Commission has been trying (in vain) to negotiate ‘Safe Harbour II’ with the US Department of Commence since the Snowden Revelations and a number of independent reviews identified that the safe harbour framework was not fit for purpose.

What happens next?

In light of the CJEU’s ruling, the Irish High Court will likely require the DPC to undertake a full investigation into Europe vs. Facebook’s complaint against Facebook Ireland Ltd. This may lead the DPC to suspend the transfer of Personal Data to Facebook Inc. and to take enforcement action under Irish data protection law.

Perhaps owing to gagging orders imposed by the US intelligence agencies, Facebook will not confirm whether it was subject to mass surveillance and, accordingly, whether it breached the fundamental rights of EU citizens in the process.

Facebook has commented:

“The Advocate General himself said that Facebook has done nothing wrong. What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows. Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbour.”

What does the ruling mean for Data Controllers?

The Safe Harbour Decision provided Data Controllers with certainty that they were complying with the Eighth Principle if the US organisation to which they transferred Personal Data was a Listed Organisation. That certainty has evaporated with the CJEU’s ruling.

Data Controllers will therefore need to consider whether and to what extent transatlantic data flows occur before considering whether any other alternatives under the Directive apply. Where Data Controllers have agreements with Listed Organisations, Data Controllers may want to enquire about how those Listed Organisations are reacting to the ruling (for example, Microsoft has confirmed that it is putting in place additional safeguards for its enterprise cloud customers) and, where the contract provides, initiating an audit of data processing practices.

What are the other alternatives?

The two exemptions which are relevant to private Data Controllers are:

  1. Where an individual has consented to the transfer of their Personal Data to the US by “any freely given, specific and informed indication of his wishes” (for example, in a contract of employment or other contractual document);
  2. Where the transfer of Personal Data is necessary:
  • for the performance of a contract between an individual and the Data Controller, or to comply with a request made by an individual before entering into a contract (for example, employee data transferred from a UK company to its US parent company); or
  • for the conclusion or performance of a contract between a third party and a Data Controller that is entered into at the request of the individual to which the Personal Data relates (for example, customer postal addresses being transferred to a US manufacturer to fulfil an order).

Alternatively, Data Controllers may want to adopt the European Commission’s “standard contractual clauses” for the transfer of Personal Data to countries outside the EU. Where an agreement is entered into between a Data Controller and a US organisation on the basis of these clauses, there is a presumption that “adequate safeguards” are in place. Group companies may also consider implementing so-called “binding corporate rules” (BCRs) which allows cross-border transfers of Personal Data under the terms of an agreement approved by a data protection regulator (such as the UK’s Information Commissioner).

Both approaches are not without their flaws: consent can be withdrawn by an individual at any time; contractual agreements with organisations in countries that do not respect data protection principles are open to challenge on grounds of fairness; and BCRs can take a long time to put in place. Whether or not the CJEU will question the validity of these approaches in the context of US organisations freely sharing Personal Data with US intelligence agencies remains to be seen.

What is the risk of enforcement action?

The UK’s data protection regulator, the Information Commissioner’s Office (ICO) has said:

“[The ruling] does not mean that there is an increase in the threat to people’s personal data, but it does make clear the important obligation on organisations to protect people’s data when it leaves the UK. The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this.”

Where can you find out more?

Further information about cross-border transfers of Personal Data can be found on the ICO website.

How can Gregg Latchams help?

Our data protection experts can:

  • Review existing and pending commercial agreements to ensure that they contain adequate safeguards;
  • Assist you with undertaking supplier due diligence and audits of data processing practices;
  • Advise you in the (currently unlikely) event that the ICO or any other data protection regulator threatens or commences enforcement action.

The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.

  • What can we help you with?