U.S. companies reeling from the European Union top court's invalidation of the U.S.-EU Safe Harbor Program have another headache—the legal status of data they transferred out of the European Economic Area during the decade-and-a-half-long operation of the program.
Any transfer of data to the U.S. from the EEA in the last 15 years that relied only on the Safe Harbor Program may in principle be open to a legal challenge in the wake of the recent invalidation of the Safe Harbor adequacy decision, the European Commission, the EU's administrative arm, confirmed Oct. 7.
An official from the commission's legal service, speaking on condition of anonymity, told Bloomberg BNA that the European Court of Justice's Oct. 6 invalidation of Safe Harbor applied to past data transfers as well as future ones.
That means any transfer to the U.S. from the EEA—the 28 EU member states and Iceland, Liechtenstein and Norway—that couldn't show reliance on an alternative legal basis “should not have been made,” the official said.
A privacy attorney who asked not to be named because of the sensitivity of the issue told Bloomberg BNA Oct. 7 that the retrospective application of the ECJ's invalidation of Safe Harbor was “one of the biggest issues of the decision,” and a “crazy, crazy outcome.”
The court ruling “raises significant issues of legal uncertainty” because it could, in theory, result in EU data protection authorities being required to consider complaints against any data transfer in the last 15 years, the attorney said.
As If Safe Harbor ‘Never Existed.'
The Safe Harbor Program allowed U.S. companies to transfer EU citizens' data to the U.S. if they self-certified to the U.S. Department of Commerce their compliance with privacy principles similar to those contained in the EU Data Protection Directive.
The ECJ, the EU's highest court, Oct. 6 invalidated a European Commission decision from 2000 that found that Safe Harbor provided adequate privacy protections for the data of EU citizens (194 PRA, 10/7/15).
The ECJ held that the commission's decision was invalid because the program didn't safeguard personal data against surveillance by the U.S. government and didn't allow for sufficient redress for EU citizens whose privacy had been breached. In addition, the commission's adequacy finding was flawed because it didn't fully respect the independence of EU national data protection authorities, the ECJ said.
The official from the commission's legal service said that the ECJ's finding that the adequacy decision was invalid “means indeed that the decision is gone as if it never existed.”
Howard W. Waltzman, partner at Mayer Brown LLP in Washington, told Bloomberg BNA Oct. 7 that the ECJ's invalidation of the commission finding means companies “can't rely on the decision in and of itself for any transfer.”
Under the EU's Data Protection Directive (95/46/EC), the personal data of EU citizens can only be transferred outside the bloc if the jurisdiction the data is being transferred to is judged to offer adequate data protection. Companies may also lawfully transfer personal data through the use of binding corporate rules or model contracts, or under exceptions, including that the data subject provides specific consent or that the data transfer is necessary for the fulfilment of a contract.
Risk of Challenges
The privacy attorney said it was difficult to tell if past transfers made under Safe Harbor would be challenged but that there remained a risk that another individual might raise a challenge, as Austrian law student Max Schrems did in the underlying case against Facebook Inc. that gave rise to the ECJ ruling.
It is likely that EU data protection authorities would be “practical,” and there was a “limited risk” that they would start their own investigations into transfers done under Safe Harbor, the attorney said. But any complaint to a DPA might potentially trigger “very tricky questions,” the attorney said. It would be difficult to demonstrate a fault when companies had acted in good faith under Safe Harbor, the lawyer added.
Waltzman said that any “retroactive liability” challenge against the validity of a data transfer made under Safe Harbor “would certainly be an interesting challenge in the courts.”
Harm Threshold Still in Play
A European Commission official speaking on condition of anonymity at a briefing Oct. 7 said that in case of any legal challenge against a data transfer made under Safe Harbor, a company could defend itself by showing that “at the moment of a transfer” it was using an alternative basis for the transfer allowed under the Data Protection Directive, such as binding corporate rules or model contractual clauses.
The official added that “there are a number of conditions that have to be fulfilled” in any attempt to challenge a past transfer made under Safe Harbor, including a question of whether data subjects faced harm from what would now be considered an unlawful transfer.
The commission official was unable to quantify the proportion of data transfers from the EU to the U.S. that rely only on Safe Harbor as a legal basis. Larger companies are “generally equipped with other bases,” such as BCRs, the official said.
However, there was “rapid growth in the number of companies that have participated over the life of Safe Harbor,” the official said.
Reproduced with permission from Privacy Law Watch, 195 pra-bul (Oct. 8, 2015). Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com