International and Litigation Alert
On October 6, 2015, the Court of Justice of the European Union (CJEU) struck down the "Safe Harbor" international agreement that, since 2000, enabled companies to move individuals' personal data between the European Union and the United States. Case No. C-362/14, Schrems v. Data Protection Comm'r, (CJEU Oct. 6, 2015). EU law generally prohibits the transfer of personal data from EU member states to any country lacking similar data privacy and protection regimes. In the EU, personal data is broadly defined to include any information relating to an identified or identifiable person, which means that a substantial amount of corporate data may be considered personal data.
The ruling came down in the context of a dispute between an individual, Maximillian Schrems, and the Data Protection Commissioner in Ireland concerning the Commission's refusal to investigate a complaint made by Mr. Schrems, regarding personal data transfers by Facebook Ireland Ltd. to servers located in the United States. Citing Directive 95/46/EC of the European Parliament (the EU Directive on Data Protection), the Court recognized that cross-border flows of personal data are necessary for international trade, which is why it does not stand in the way of transfers to countries, "which ensure an adequate level of protection ... in light of all the circumstances surrounding the transfer operation." However, the transfer of personal data to a country that does not ensure an adequate level of protection "must be prohibited."
The CJEU found that United States intelligence surveillance programs involving the collection and processing of personal data (e.g., the PRISM program) make adherence to the safe harbor principles virtually impossible. According to the CJEU, these programs do not fall under the "national security" exception to the transfer restrictions because the wide data net cast goes beyond what is strictly necessary and proportionate to the protection of national security. Moreover, European citizens who believe their personal data have been compromised have no legal recourse in the United States judicial system. Due to these concerns, the CJEU found the data transfer agreement between the United States and the EU "invalid."
This decision -- which cannot be appealed in the European court system -- impacts all companies with offices, employees or business relationships in Europe. Personal data should no longer be transferred from the EU to the United States solely on the basis of self-certification under the safe harbor provision of the data transfer pact. Most large multinational companies have side agreements with the EU that will allow them to continue moving data across borders despite this ruling, but companies that do not will need to reevaluate their current data use practices.
In the meantime, pressure increases on United States and EU diplomats to reach an agreement on an updated safe harbor pact for data transfer. The parties have been negotiating for two years, but there is no word on when they hope to finalize a deal. The United States and EU have agreed in principle to a separate pact called the "Umbrella Agreement" that covers cooperation and sharing of data between law enforcement agencies. But European negotiators have indicated that they would sign the deal only if European citizens are given the right to bring data misuse cases in the United States.
On October 6, United States Secretary of Commerce Penny Pritzker expressed her concern:
We are deeply disappointed in today's decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.
We are prepared to work with the European Commission to address uncertainty created by the court decision.
In addition, there may be collateral consequences of this decision. For example, the decision may restrict a common practice for compliance with other EU rules. A common element of sanctions compliance is centralized name-screening outside of the EU to avoid dealing with blocked or frozen parties. As a practical matter, companies that do business in the EU member states are required to check potential business partners against lists of frozen or sanctioned parties, but this decision has reduced the efficiency of this compliance tool. It has also reduced the value of this tool in complying with United States sanctions and export control rules related to reexports from the territory of the EU.
For now, companies operating on both sides of the Atlantic should review options for business and compliance objectives that remain intact after this CJEU decision. Such options may include (a) the use of "appropriate contractual clauses" ensuring adequate data protection along with necessary approvals from the EU and member states, and (b) the use of data owners' consent for the transfer of their personal data.
For more information, please contact John C. Eustice, Larry E. Christensen or any lawyer in the International or Litigation practices:
John C. Eustice, firstname.lastname@example.org, 202-626-1492
Larry E. Christensen, email@example.com, 202-626-1469