Today’s post is written by my colleague Kevin Coy, a Partner in our Privacy and Consumer Regulatory practice group.
Since 2000, the EU-US Safe Harbor program has been one means by which eligible US companies could transfer personal data from the European Union (EU) to the United States in accordance with EU law regulating transfers of personal data. On October 6th, the European Court of Justice (ECJ) ruled, in Schrems v. Data Protection Commissioner (C-362/14), that the European Commission’s 2000 finding that EU/US Safe Harbor framework (Safe Harbor) provided an adequate level of protection was invalid.
The 1995 EU data protection directive (the “Directive”) restricts the transfer of personal information from the EU to countries outside the EU that lack what the EU considers to be “adequate” privacy protection. Europeans do not deem US law to be adequate and Safe Harbor was created to facilitate transfers from the EU to the US. Safe Harbor has been used by over 4500 companies, including many background screeners, as a legal basis for transferring personal information from the EU to the United States since the program was implemented in 2000.
The ECJ Opinion. The ECJ found that the 2000 European Commission Safe Harbor adequacy finding was deficient in a number of respects and is, therefore, invalid. In particular, the ECJ noted that the European Commission’s adequacy finding did not find that US law provides a level of protection for personal data “essentially equivalent” of that guaranteed under EU law. The ECJ noted that US government agencies are not subject to Safe Harbor’s requirements and hence not bound by the rules of the program. The Court also found a Safe Harbor provision deferring to US national security and law enforcement needs–in the event of a conflict between those interests and the requirements of the Safe Harbor principles–to “enable interference” with the fundamental rights of EU citizens by US officials, without limitation. The Court also faulted the program for not providing an opportunity for EU citizens to seek redress in the case of such governmental interference.
In another aspect of the opinion likely to have long term implications, the ECJ also stated that adequacy findings are subject to challenge through Data Protection Authorities (DPAs) and the courts in each of the EU’s 28 member states, but held that only the ECJ itself has the authority to invalidate an adequacy finding. This part of the ruling appears to empower consumers and advocates in the EU to bring complaints and require that the DPAs address them, unlike the situation that prompted the Schrems case where the Irish DPA refused to address Mr. Schrems’ complaint against Facebook because of the European Commission’s Safe Harbor adequacy finding.
What does the opinion mean? In the short term, there is likely to be a period of uncertainty around data transfers from the EU to the United States, particularly those involving Safe Harbor participants. It appears unlikely that the European DPAs will seek to bring retroactive actions for data previously transferred from the EU to the US through Safe Harbor in good faith in compliance with the program’s requirements. However, moving forward, background screeners and other companies that use Safe Harbor themselves or rely on service providers that use Safe Harbor in the course of providing services should review their options and strategies for transferring personal data from the EU to the United States to mitigate potential risks of complaints or enforcement inquiries in the EU. While the ECJ opinion struck down the Safe Harbor adequacy finding—and potentially lays the groundwork for challenging other adequacy findings—other means of transferring personal information, such as European Commission approved standard (aka “model”) contract clauses currently remain a valid option for facilitating data transfers.
With the invalidation of the Safe Harbor adequacy finding, DPAs in each of the EU Member states may take different positions with respect to transfers by companies that had been relying on Safe Harbor. The UK Information Commission’s office, for example, issued a statement that said in part, “The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognize that it will take them some time for them to do this.” DPAs in other EU Member states may take different approaches, potentially driven by consumer complaints about transfer practices, which the ECJ said could be appealed to national courts in the event that the DPA rules against the complaint. A number of data protection authority officials issued statements stressing the need for the DPAs to consult on their approach to the issue. Meetings among the EU DPAs are underway and are expected to provide further guidance about the approach that the DPAs will take in the aftermath of the Schrems ruling.
What about a new or reformed Safe Harbor program? The EU and the US have been in ongoing discussion about reforming Safe Harbor and recent reports indicate that those talks had been nearing completion. However, any reform of Safe Harbor will now need to be reviewed to take the ECJ’s opinion into account, which could take some time. The ECJ had a number of objections about the original Safe Harbor program which could raise the bar for the new agreement, because it too could be challenged and subject to a future ECJ case. Statements from the Department of Commerce as well as European Commission officials following the ECJ ruling both referenced the ongoing negotiations over a reformed Safe Harbor program and the importance of the continued flow of personal information across the Atlantic. No timetable has been offered as to when such an agreement might be finalized or implemented.
What other options are available to transfer personal data from the EU to the US? Even with the invalidation of the Safe Harbor adequacy finding, there are still strategies for lawfully transferring personal data from the EU to the United States. Which of these strategies—or some combination of them—would work for a particular background screener will depend on its situation and the needs of its clients, some of whom may quickly want to implement alternate measures while others may be more inclined to wait to see what additional guidance the DPAs provide or how quickly a new Safe Harbor can be developed. Potential options include:
- Standard contractual clauses. Screeners with clients in the EU may be able to use standard or contractual clauses that have been approved by the European Commission under a separate adequacy determination which was not before the ECJ in the Schrems case as a basis for transferring data from the EU to the US. These clauses, which have been approved for data transfers from the EU to third countries around the world, not just for transfers to the United States, must be adopted by the parties without modification (except for a few particular clauses where customization is permitted) to obtain the benefits of the European Commission’s adequacy finding. Standard contractual clauses may be useful, for example, for background screeners that have clients in the EU and need to transfer personal information about the client’s applicants or employees to the US for processing. These clauses impose a number of obligations, including requirements to flow commitments downstream to subcontractors, which should be carefully considered with counsel.
- Consent and other “derogations.” The EU Directive’s restriction on the transfer of personal data to third countries that lack an “adequate” level of data protection includes a number of limited exceptions or “derogations,” which, depending on the circumstances, also could serve as a basis for transferring personal information:
- The data subject has given consent unambiguously to the proposed transfer.
- The transfer is necessary for the performance of a contract between the data subject and the controller (essentially the party that controls what happens to the personal data) or the implementation of pre-contractual measures taken in response to the data subject’s request.
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party.
- The transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims.
- The transfer is necessary in order to protect the vital interests of the data subject.
- The transfer is made from a public register to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
While some of these derogations may seem broad at first, their potential applicability should be carefully reviewed because EU authorities tend to interpret the derogations narrowly. In the case of consent, for example, the European view is that consent must be freely given, which can present challenges in areas such as employment screening, where EU data protection officials may question whether consent has been freely given because of perceived imbalances in the relationship between employer and employee. Similarly, when “necessary” is used in a derogation, this is often narrowly construed; EU data protection officials do not interpret “necessary” as being merely convenient to the company that would be transferring the personal data. Screeners may be able to use the public register derrogation in some cases to facilitate transfers on behalf of their customers, although the laws governing particular public registries in each of the EU member states will have an impact on whether, and to what extent this derogation will provide a basis for transfer of data from that registry. The DPAs have cautioned that this derrogation should not be interpreted as permitting bulk transfers of data found on EU public registries, but the derogation could prove useful in the context of some individual screening initiatives.
- Binding Corporate Rules. Binding corporate rules (BCRs) are binding privacy commitments that a multi-national family of companies makes to EU DPAs to govern transfers of personal information within that family of companies. BCRs are not likely to be an option for most screeners.
The ECJ opinion is significant in a number of respects and likely will have long term implications. In the near term, background screeners that rely on Safe Harbor directly or indirectly to facilitate transfers of personal information from the EU to the US should re-evaluate what personal information they transfer from the EU to the US and consider alternate measures to mitigate their potential risk.