Legal insight

D. CASAER, “Turmoil in the Safe Harbor”, ODC Privacy Law Newsletter, November 2015

European Union residents enjoy a high degree of privacy protection with no equivalent protection until now granted by legislation in the United States. In today’s interconnected and often data-driven business world, the protection of privacy and compliance with the rights of the EU’s +500 million residents and citizens has become a major point of attention for all enterprises doing business in the European Union. In short, internet transactions and social media involving interaction with a person residing in the EU, require the operator to comply with EU privacy rules.

The European legal framework

The recent developments and turmoil in the Safe Harbor must be viewed in the context of the various international treaties that were signed in the second half of the past Millennium.

The European nations’ historic experiences with dictatorial regimes resulted in the signature of the European Convention on Human Rights on November 4, 1950. to Section 1 of article 8 of that Convention provides for the protection of the European resident’s ‘right to respect for private and family life, his home and his correspondence’. Article 8 has been broadly construed by the European Court of Human Rights ever since and effectively requires European governments to protect the privacy of those resident on their soil. On January 28, 1981, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was signed and is currently in force in all 27 EU Member States.

Based on these international treaties, all European Member States implemented privacy regulations in their local law. So as to facilitate the free flow of personal data within the EU, the international transfer of any information relating to an identified or identifiable natural person, i.e. ‘personal data’, collected, processed or using equipment in the EU, has been regulated as of October 24, 1995 by EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data (the ‘Privacy Directive’). The implementation thereof in local law by the various EU Member States had to be completed  by October 24, 1998.

The Privacy Directive also requires the EU Member States to implement legislation permitting the transfer of personal data to a ‘third country’, i.e. a country outside the EU, in principle if and when that third country offers an adequate level of personal data protection that is equivalent to the protection available within the EU.

The US failed to implement the 1980 OECD Recommendations concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data. In addition, the protection by the various U.S. privacy regulations is not always granted to EU citizens or residents. As a result thereof, the US is not considered by the EU authorities as a third country offering adequate protection. This US reluctance to enact legislation that also protects the privacy of the EU citizens is the basis of the generally applicable prohibition to transfer personal data collected in the EU to the US. 

 

Safe Harbor framework

As many US enterprises have operations in the EU and want to transfer personal data from the EU to the US in an efficient way, different solutions have been organized in the past to facilitate the transfer of personal data. One of these solutions was the so-called ‘safe harbor’ arrangement. Under that safe harbor arrangement, US enterprises could adhere on a voluntary basis to the self-regulatory framework provided by the US Department of Commerce and endorsed by the European Commission in its Decision 2000/520/EC of July 26, 2000.

The Safe Harbor arrangement can be viewed as a system of self-regulation. However, experience has shown that this self-regulation does not always lead to satisfactory results and that in practice European citizens find it difficult if not impossible to effectively enforce their privacy protection in the US or against US enterprises that do business or offer access to social media in the EU and which are transferring to the US personal data collected in the EU.

The landmark decision of the European Court

On October 6, 2015 the European Court of Justice ruled in Schrems vs. Data Protection Commissioner (matter C-362/14) that the EU Commission Decision of July 26, 2000 is invalid.

In summary, the Court of Justice did not accept that under the Safe Harbor arrangement, the national data protection authorities of the EU Member States are prevented to investigate whether an adequate level of protection was effectively guaranteed in the US. As a result of the Court’s ruling, the Safe Harbor framework is since October 6, 2015 no longer a legitimate ground for the transfer of personal data from the EU to the US.

A public Statement issued on October 16, 2015 by the advisory body of representatives of the national data protection authorities of the EU Member States (the so called ‘Article 29 Working Party’) made clear that “transfers still taking place under the Safe Harbor decision after the CJEU judgement are unlawful”. Following this landmark decision of the European Court, the same rules now apply on a worldwide basis outside the EU and the US no longer benefits from a much more lenient regime.

 

Solutions

Many enterprises operating in the EU, in particular subsidiaries of US parents but also social media and web shops linked to the US, therefore now rapidly must seek an alternative legal basis for the transfer of personal data to the US. The US Department of Commerce already announced that it will nonetheless continue to administer the Safe Harbor program including submissions for self-certification. For questions they refer, however, to the European Commission, the appropriate European national data authority or legal counsel.

For the time being the national data protection authorities of the EU Member States consider that Standard Contractual Clauses and Binding Corporate Rules, both issued by the European Commission, can still validly be used to comply with the Privacy Directive and local privacy legislation implemented on the basis of the Privacy Directive.

We conclude that the following alternative solutions may currently be envisaged:

  • to conclude a specific personal data protection contract with the recipient of the personal data in the third country; 

  • to implement Binding Corporate Rules governing intra-group data flows;

  • in specific cases, to rely on certain exceptions (such as the explicit consent of the data subject) provided by the concerned EU Member States’ locally applicable privacy laws.

Specific contracts must comply with the European Commission’s Standard Contractual Clauses. Each EU Member States has enacted rules which govern the conformity test.

With respect to the greater Brussels area where many foreign enterprises have their European headquarters, the details of the conformity test for specific contracts are set forth in a Protocol Agreement signed by the Belgian Minister of Justice and by the President of the Belgian Privacy Commission on June 25, 2013. Before entering into a privacy agreement, a copy of the agreement must be sent to the Belgian Privacy Commission who will check whether its contents comply with  the European Commission’s Standard Contractual Clauses. In addition, the transfer to the US and the processing done in the US must be notified to the Belgian Privacy Commission who will list this notification in its public register.

As regards Binding Corporate Rules for Controllers (meaning corporations processing data related to their own employees, customers and/or suppliers) a conformity test must also be performed in accordance with a Protocol Agreement signed by the Belgian Minister of Justice and by the President of the Belgian Privacy Commission on July 13, 2011. When a company active in various EU member states, applies with the Belgian Privacy Commission for a confirmation of conformity, the Belgian Privacy Commission will seek contact with its counterparts in the other EU member states concerned in order to conduct a joint study of the draft code of conduct submitted by the applicant. Once a concerted position has been adopted between the various local privacy authorities, the final opinion will be given by the Belgian Privacy Commission (i.e. by the local privacy authority that has received the original application). In Belgium, the authorization is confirmed by Royal Decree and published in the Belgian Official Gazette. Up until now, in Belgium, only 16 multinationals followed this procedure.

 

Going forward

The European Commission had  already been working with its US counterparts on tightening the Safe Harbor arrangement for the exchange of data for commercial purposes. In view of the Court’s recent ruling, we anticipate that this may take more time than expected at first and there is at present no certainty at all that the Commission will have the required power to issue a binding decision.

The national data protection authorities of the European Union Member States publicly urged that appropriate solutions be put in place by the end of January 2016, failure of which they consider to initiate coordinated enforcement actions.

The American Chamber of Commerce to the European Union pointed out in a recent statement that interruption of trade in services and data flows could reduce the EU’s GDP by up to 1.3%; EU services exports to the US could drop as much as 6.7% due to loss of competiveness. Therefore, the concerned enterprises are advised to rapidly start working on one of the above mentioned solutions.