News Flash : Safe Harbour scheme declared invalid

The Court of Justice, by its judgment on 6 October 2015 in case C-362/14, declared invalid the US Safe Harbour scheme which provides for personal data transfers between Europe and the United States of America.

As a consequence, all personal data transfers to the US currently based on the Safe Harbour scheme could potentially be challenged as infringing the Directive 95/46/EC on data protection.

WHAT IS THE SAFE HARBOUR SCHEME AND WHAT ARE THE CONSEQUENCES OF ITS INVALIDITY?

The Safe Harbour Decision is a compromise made 15 years ago between the European Commission and the US government, implementing a privilege under which transfers of personal data to (self-) certified entities based in the US are authorised, notwithstanding the fact that the US as nation does not ensure an adequate level of protection according to European standards.

This scheme allowed any US based entity complying with Safe Harbour principles to be certified, and thus authorised to process personal data transferred from Europe without any additional formalities. Until now, US Safe Harbour certified entities were considered as ensuring an adequate level of protection for protecting personal data processed in this context.

More than 4,000 US entities process personal data based on the Safe Harbour scheme, and it is being used by many businesses in Europe to justify data transfers to the US.

The Court of Justice held that the Safe Harbour scheme does not ensure an adequate level of protection. The invalidity of such scheme shall have direct consequences for any businesses operating data transfers to the US or outsourcing data processing in the US (e.g. SaaS) based on the Safe Harbour scheme.

Following the decision of the Court of Justice, any such transfers may now be challenged.

WHAT ARE THE ALTERNATIVE SOLUTIONS TO LAWFULLY TRANSFER DATA TO THE US?

The Safe Harbour scheme was not the only way to lawfully transfer data to the US, although it was relatively easy to implement in practice once the US entity was Safe Harbour certified.

Other options already exist to justify data transfers to third countries, thus these measures shall also be considered by businesses that perform data transfers to the US.

The most common way to legitimise foreign transfers is to use Standard Contractual Clauses approved by the European Commission and subject to the prior authorisation of the CNPD.

Another alternative to the Safe Harbour scheme would be to implement Binding Corporate Rules, which require the implementation of global privacy rules ensuring the protection of personal data. However, implementing binding corporate rules is a very long procedure and may become obsolete if the proposed draft EU Data Protection regulation is enacted before the approval of these rules.

It should also be borne in mind that the European Commission and the US government are currently negotiating to create a new Safe Harbour framework complying with European data protection law, thus the “wait and see” approach might also be considered.

However, in the long term this involves running the risk of losing the trust of customers and moreover, being open to challenge for non-compliance.