415.935.8936
info@springmeyerlaw.com

Complying with EU Data Protection Directive Post-Invalidation of Safe Harbor Framework

Business Law Blog
The information on this page should not be construed as legal advice.

This article is directed at web app and mobile app startups that collect user data from end users in the EU.

The Case in a nutshell:

On October 6, 2015, the European Court of Justice (ECJ) invalidated the safe harbor agreement that had previously harmonized EU and U.S. privacy laws and enabled companies to transfer user data easily from the EU into the U.S.

Max Schrems, an Austrian graduate student and privacy activist, brought the case, claiming data transferred to the U.S. was not adequately protected from mass surveillance by intelligence agencies under U.S. law, citing Edward Snowden’s revelations in 2013.

First, some background on EU Data Protection and Safe Harbor:

The Safe Harbor agreement was set up to bridge EU and US privacy frameworks. The EU treats privacy as a fundamental right and the EU Data Protection Directive 95/46/EC (Directive) provides a comprehensive framework which regulates the collection, use, and transfer of personal data. In contrast, the U.S. Bill of Rights only implicitly protects privacy, and U.S. federal regulations are more ad-hoc and context specific, such as the Children’s Online Privacy Act (COPPA) and the Health Insurance Portability and Accountability Act (HIPPA).

Since 2000, the safe harbor scheme enabled thousands of U.S. companies to transfer data from the EU to the US so long as each company pledged to comply with the set of safe harbor privacy principles to afford a level of protection for personal data that could be considered “adequate” under EU standards.

ECJ Decision:

The ECJ, following the core opinion of the Advocate General, ruled that (1) the safe harbor agreement was invalid, and (2) that Member States Data Protection Authorities (DPA’s) must have powers to investigate and suspend transfers of data based on inadequate levels of protection. The ECJ determined that the U.S. does not provide adequate protection of personal information because (a) the U.S. permits intelligence agency surveillance practices to prevail over and undermine safe harbor requirements; (b) there was no mechanism European citizens to seek redress in the US; and (c) the power of individual DPAs to investigate and suspend transfers to the US was limited by the safe harbor.

Practical Implications of the Decision:

The decision impacts over 4,500 companies that self-certified under the safe harbor framework, including not only web service providers and big data companies, but any international company that transfers customer or employee data across the Atlantic.

Data transfers completed under the safe harbor framework prior to the decision will remain lawful. Presently, the European Commission is in process of proposing a unified framework much like the safe harbor. But until a political solution is reached, Companies will either need to keep European user data in the EU or consider alternative mechanisms to comply with the Directive. The mechanisms companies choose will largely depend on the company’s size, business model, corporate structure and nature of operations in the EU. Ahead of an updated safe harbor framework, companies may adopt standard data protection contractual clauses (SCC’s), Binding Corporate Rules (BCR’s), or seek consent from all individuals under the derogations provided by the Directive. However, it’s important to keep in mind that BCR’s or SCC’s create exposure for U.S. companies, since any member state DPA could suspend the transfer on the grounds that the U.S. does not provide an adequate level of protection. It's interesting to note that the ECJ did not touch upon the validity of these instruments even though they may ultimately have similar effects as the safe harbor.

An alternative avenue for permitting data transfers that may be viable, particularly for smaller companies, is to obtain user ‘consent’ pursuant to the Directive. The Directive states that personal data may be transferred to a country that does not ensure an adequate level of protection on condition that “the data subject has given his/her consent unambiguously to the proposed transfer”. That said, the threshold for consent is very high and a valid consent must be a clear and unambiguous indication of wishes, given freely, specific and informed.

Although obtaining proper consent for every transfer may be too expensive and impractical for large businesses, it may be feasible for companies transferring a relatively limited amount of personal data, as through a website or mobile application. In this case, companies may wish to consider the points of data transfer that occur during the use of their application, and ensure that there is satisfactory consent coupled with such data transfers.

The consent exemption is not one size fits all, and the extent to which companies can rely on this exemption will depend on the nature of the data transfer and the relationship between the parties. For instance, if an employer requests consent from an employee, the nature of their relationship would prevent any such consent from being “given freely.” The EU and the Working Party 29 provide enough guidance to help companies determine whether and how to implement an effective method of consent.

In the wake of this decision, the commission has prioritized discussions with DPA authorities and the Working Party 29 to find a unified approach with a goal to provide clear guidance for businesses. We are monitoring progress on this closely and will update our clients with new and relevant developments.