EU Data Transfer Path for U.S. Companies Invalidated

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner


Oct. 6 — Thousands of U.S. companies are left scrambling to find new ways to lawfully transfer personal data outside of the European Economic Area, after the European Union's top court Oct. 6 invalidated immediately the 15-year-old U.S.-EU Safe Harbor Program.

The European Court of Justice in one fell swoop removed the U.S.-EU Safe Harbor Program, which allowed U.S. companies to transfer EU citizens' data to the U.S. if they self-certified to the U.S. Department of Commerce their compliance with privacy principles similar to those contained in the EU Data Protection Directive (95/46/EC).

About 4,400 U.S. companies that are certified under the program must now quickly find other ways to lawfully transfer personal data outside the EEA, which is made up of the 28 EU member states plus Iceland, Liechtenstein and Norway.

EU regulators are not expected to crack down on U.S. companies immediately, and some companies already use other data transfer protocols. But the decision complicates the compliance picture for U.S. companies already preparing for a coming new EU data protection regulation that is intended to replace the Data Protection Directive.

The ruling “pulled the rug under the feet of thousands of companies” that have been relying on the Safe Harbor, Monika Kuschewsky, special counsel at Covington & Burling LLP in Brussels, told Bloomberg News Oct. 6. “All these companies are now forced to find an alternative mechanism for their data transfers to the U.S. And, this, basically overnight.”

The ECJ's ruling applies to a 2000 decision by the European Commission, the EU's administrative arm, which found the Safe Harbor program administered by Commerce and enforced by the U.S. Federal Trade Commission provided adequate privacy protection, in line with the Data Protection Directive.

Any transfer of data from the EU to the U.S. under the Safe Harbor is now a breach of EU data protection law, Nigel Parker, a partner with Allen & Overy LLP in London, told Bloomberg BNA Oct. 6. But companies with alternative means for data transfers in place, such as binding corporate rules (BCRs) or model contracts, would be able to continue to transfer data using those instruments, Parker said.

Henriette Tielemans, a partner with Covington in Brussels, told Bloomberg BNA Oct. 6 that the ECJ's invalidation of the program also meant that past data transfers during the 15 year duration of the Safe Harbor decision were now not covered by a data protection adequacy arrangement.

“They're all illegal. For the legacy data I don't know what the solution is,” Tielemans said. It is hard to predict if the invalidation of Safe Harbor might trigger legal cases about past transfers and processing, Tielemans said.

Sophie Coremans, a spokeswoman for the U.S. Mission to the EU, told Bloomberg BNA Oct. 6 that the mission was studying the ECJ ruling and “reviewing it before making any comment.”

Pragmatic Implementation?

Susan Danger, managing director of the American Chamber of Commerce to the EU, said in an Oct. 6 statement that “international business could be severely disrupted” by the immediate invalidation of Safe Harbor.

“Today's court decision will jeopardize the free flow of data across the Atlantic,” and the EU authorities should “offer alternative mechanisms and a reasonable transition period,” Danger said.

Parker said that EU national data protection authorities—the privacy regulators for the 28 EU member states—are likely to be “pragmatic and acknowledge that companies need some time” to adopt alternative grounds for transfers, with an “immediate crackdown” on infringers unlikely.

David Smith, the U.K. deputy information commissioner, said in an Oct. 6 statement that the ECJ ruling meant that “businesses that use Safe Harbor will need to review how they ensure that data transferred to the U.S. is transferred in line with the law. We recognise that it will take them some time for them to do this.”

Tielemans said companies had “relied in good faith” on the program and its invalidation should prompt EU data protection authorities, especially acting as the Article 29 Working Party data protection advisory body to the European Commission, to respond quickly to find ways of providing companies with legal certainty “both for the future and the past.”

The invalidation of Safe Harbor “creates a great upheaval at a time when companies should be getting ready” for the pending EU data protection regulation which has been proposed to replace the over 20-year-old Data Protection Directive, Tielemans said.

Search for Alternatives 

Parker said that larger companies, such as Microsoft Inc., self-certify under Safe Harbor, but do not rely only on it as a basis for data transfers, and would have alternatives, such as the EU-approved BCRs and model contracts, already in place.

Companies without alternatives might be in a difficult position. BCRs must be approved by data protection authorities and “typically take about 18 months to obtain,” Parker said.

On model contracts, “in theory you can have them quite quickly,” but their adoption could be “cumbersome” for multinational groups, Parker said, in particular because EU member states apply different rules to their use. Adoption of model contracts “can take days, weeks, months, depending on the jurisdiction,” Parker said.

Tielemans said that in some countries, such as Austria, Poland and Spain, model contracts must be approved by DPAs, a process that takes “three to six months in a regular period, and this is not a regular period.” There will likely be an “avalanche of authorization requests,” she said.

Françoise Gilbert, a partner at Greenberg Traurig LLP in Palo Alto, Calif., noted another possible long term alternative. “Some U.S. companies are already establishing servers in Europe in order to avoid the thorny issues of prohibition against cross border data transfers,” she told Bloomberg BNA Oct. 6. However a move to more data localization may “lead to a world of silos,” she said.

Transfer Inventory, Contract Review Urged 

Eduardo Ustaran, a partner at Hogan Lovells International LLP, in London, said his law firm is advising companies in the wake of the ECJ ruling to: identity data transfers that were legitimized by the Safe Harbor Program; prioritize “key transfers” by the nature of the data and its use; and identify entities involved in intra-group transfers and assess suitable transfer alternatives, such as BCRs.

Companies should review existing contracts on transfers to service providers for references to the U.S.-EU Safe Harbor Program to assess whether the vendor is offering a suitable alternative, he said.

Those U.S.-based service providers should consider what legal mechanisms are available to allow them to continue to lawfully provide services, Ustaran, who is a member of the advisory board to Bloomberg BNA's Privacy & Security Law Report, said.

U.S.-EU Negotiations to Continue 

The European Commission played down the impact of the ECJ ruling and emphasized the alternative BCRs and model contracts mechanisms.

Vera Jourová, the EU Commissioner for Justice, Consumers and Gender Equality, speaking at a briefing in the European Parliament in Strasbourg, France, Oct. 6, said the commission would work with the Article 29 Working Party to issue guidance on data transfers in the light of the court ruling. “We will come with further analysis and further explanations in the coming weeks,” she said.

The commission began a renegotiation of the U.S.-EU Safe Harbor Program with the U.S. authorities in November 2013 in the wake of revelations by Edward Snowden, a former employee of a U.S. National Security Agency contractor, about U.S. government surveillance practices. The commission reaffirmed the program but made 13 recommendations for upgrading it.

In June 2014, the former EU Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding said that U.S. officials had agreed to 12 of the 13 commission recommendations, and that the only point to be resolved was the extent to which U.S. national security bodies would be able to access the data of EU citizens transferred under the program. That has remained a sticking point.

Jourová said that the talks will continue and the ECJ ruling “confirms that we are doing the right thing—we are negotiating the safer Safe Harbor.” The negotiations will take the ECJ ruling into account, she said.

There is “no concrete date” for finalization of the negotiations, and more time is needed on national security issues related to data transfers, Jourová said.

2000 Safe Harbor Approval Flawed 

The ECJ said in an Oct. 6 statement that the commission's 2000 decision in support of the U.S.-EU Safe Harbor Program was flawed because it didn't take into account that the program “enables interference, by United States public authorities, with the fundamental rights of persons.”

In effect, U.S. authorities could ignore the privacy protections of Safe Harbor and could “access the personal data transferred from the member states to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security,” the ECJ said.

Furthermore, the U.S. offers insufficient redress to EU citizens whose privacy might have been compromised, and the commission's Safe Harbor decision did not respect the powers of EU national data protection authorities, the ECJ statement said. The U.S. Congress, however, is considering a bill (H.R. 1428) to give EU citizens limited rights to sue under the Privacy Act for alleged government misuse of their personal data.

The ruling followed an ECJ advocate general's Sept. 23 advisory opinion, which held the U.S.-EU Safe Harbor Program didn't protect the privacy rights of EU citizens in the face of “mass, indiscriminate surveillance” by U.S. security agencies.

Irish Referral 

The underlying case was referred to the ECJ by Ireland's High Court after the Irish Office of the Data Protection Commissioner (ODPC) said it didn't need to examine an individual's complaint about data transfers made by Facebook Ireland Inc., because the transfers were done in accordance with the U.S.-EU Safe Harbor Program. Facebook's European operations are headquartered in Ireland.

After the Snowden revelations, Austrian law student Max Schrems asked the ODPC to investigate if his data transferred by Facebook might have been turned over to the NSA.

The ECJ said that even in cases in which adequacy decisions for data transfers were in place, DPAs “must be able to examine, with complete independence, whether the transfer of a person's data to a third country complies with the requirements laid down” in the Data Protection Directive.

Schrems said in a statement Oct. 6 that the ECJ ruling “draws a clear line” and is “a major blow for US global surveillance that heavily relies on private partners.” The ECJ judgment “makes it clear that US businesses cannot simply aid US espionage efforts in violation of European fundamental rights,” Schrems said.

U.S. Enforcement Criticized 

Allen & Overy's Parker said that prior to Snowden's revelations there had been “relatively little enforcement” of data protection laws in relation to international data transfers. “Snowden has been a catalyst for real enforcement,” he said.

Claude Moraes, a British member of the European Parliament and chair of the parliament's Civil Liberties, Justice and Home Affairs Committee, said in an Oct. 6 statement hat “compared to the strong, enforceable data protection legislation that exists in the EU, Safe Harbor offers completely inadequate protection for EU citizens using services from US companies.”

The FTC has brought enforcement actions against several U.S. companies for failing to properly renew their U.S.-EU Safe Harbor Program certifications or for claiming they had been certified when they had never applied.

With assistance from Stephanie Bodoni in Luxembourg

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor on this story: Donald G. Aplin at

Full text of the ECJ judgment is available a


Request Bloomberg Law: Privacy & Data Security