EU court voted against EU-US Data Transfer based on the “Safe-Harbour” Principles –Immediate measures are needed to maintain current storage of data in the US.

October 6, 2015 the European Court of Justice (ECJ) has issued its decision (Schrems, case C-362/04) which might have a major impact on the exchange of EU-US data transfer.

It decided that the transfers of personal data from the EU to the US can no longer take place under the Safe Harbour principles and respective framework although such framework has widely been relied on as the legal basis for EU-US data transfers. After the ECJ’s decision such practice has to be reconsidered and will trigger a revised future practice.

The decision directly affects all European companies that have been transferring personal data to Safe Harbour-certified counterparts in the US. The decision will require prompt action by the responsible officers of all such European companies and its service providers.

The Court’s ruling stems from a complaint filed by Austrian Maximilian Schrems with the Irish Data Protection Commissioner, concerning Facebook’s transfer of his data to the US. Mr Schrems argued that – despite the Safe Harbour framework – the US can no longer be considered to offer an ‘adequate’ level of protection for personal data. Schrem’s claim was made in light of the large-scale surveillance activities of US National Security Agency NSA that were revealed by Edward Snowden.

Despite the Irish Data Protection Commissioner first rejecting Schrems’ claim, the European Court of Justice ultimately agreed with him and invalidated the EU Commission’s decision to authorize data transfers to the US under the Safe Harbour framework.

Under EU and German data protection law, personal data can be transferred out of the EU/EEA only if the destination country provides an ‘adequate’ level of data protection or if other safeguards are met. While the US as a whole has never met the EU’s adequacy requirement, the EU Commission has authorized data transfers to individual companies that have undertaken to comply with the Safe Harbour rules, as these companies have been considered to offer adequate protection.

After the Schrems decision, even Safe Harbour-certified companies are no longer regarded as offering adequate protection for EU citizens’ personal data. Any EU company considering to transfer data to a US company or a cloud service provider with storage capacities outside the EU will have to rely on complying with other safeguards in order to justify its data transfers.
As a consequence, the German data protection principles which are to a wide extent valid also in many other EU countries including EFTA countries shall guide through the difficulties deriving from the ECJ decision: Although current practice need immediate action and control of the data-flow process, it is still possible to continue transferring data to the US, provided that the company complies with one of the other available safeguard mechanisms:

These safeguard mechanisms are:

  • The foreign (US-) partner may contractually undertake to comply with the European Commission’s ‘model clauses’. These model clauses aim to ensure that the data transferred is specifically protected. Obviously, the mere inclusion of the clauses by amendment to existing agreements is only the first and formal step and not sufficient. Both parties must in fact comply with such duties stipulated by the clauses’.
  • The EU company sending the data abroad (to the US) may also use their proprietor contract terms. In such case the company-clauses shall be approved by a national data protection supervisor before they can be used to justify safe data transfers abroad/ to the US.
  • For group-internal data transfers to the US, the respective group can adopt ‘binding corporate rules’ (BCRs) for data protection. These internal rules then define the policies of the group regarding any of their cross-border data transfers. In such case prior approval also is essential: Before such BCR’S may be used to justify safe date transfers, they must be approved by a EU-Member State data protection supervisor.

In addition to this, personal data may be transferred abroad/ to the US where the respective person provides its unconditioned consent to such transfer. Such individual allowance stays impractical, when companies outsource their IT systems or use cloud storage systems both with service providers abroad (i.e. outside the EU)/ in the US.
After this Schrems decision of the ECJ the various national data protection supervisors in the EU may decide their future policy, either on a case-by-case or consider a New Safe Harbour regime.
An indication for such New Safe Harbour Regime is that the ‘Article 29 Working Party’ (WP29) – a co-operation body for the national EU data protection supervisors – has already announced that it will issue uniform guidance for how to comply with the post-Schrems rules. It is to be expected that the national data protection supervisors of the EU member states will issue their own statement shortly thereafter.
Due to the current uncertainty it is strongly advisable to review all existing data transfer arrangements, outsourcing agreements or related contracts which might provide allowance of data transfer to non-EU countries, in particular to the US. The responsibility is clear with the EU entities and their officers to react without undue delay or suffer from the strict regime of personal liabilities of infringement of data protection rules.
We are prepared to provide to you short hand and pragmatic advice in case needed or respond to any questions or additional queries regarding the decision and its consequences.
Please kindly email at kontakt@primepartners.de or call our office at +49 69 87002080.