On September 23, the European Court of Justice heard the case which will determine whether US companies can rely on Safe Harbor as a measure to provide adequate privacy protection for personal data imported from the European Union. As of today, more than 4000 US companies have notified the Department of Commerce that they are currently compliant with Safe Harbor. According to the Opinion of Advocate General Yves Bot, however, Safe Harbor certification is not sufficient to comply with European data export requirements. It is not certain but likely that the European Court of Justice will follow the arguments of the Advocate General.
How should companies react on the Opinion of the Advocate General? For the time being, nothing changes. The Opinion is not the final judgment which can be expected before the end of this year. Meanwhile, Safe Harbor stays in place, unless the European Commission decides to suspend Safe Harbor under the political pressure caused by the release of the Opinion. Back in 1995, experts claimed that the European Data Protection Directive would put an end to international trade. The same might be claimed about the upcoming decision (or the proposed European Data Protection Regulation), but experience shows that solutions can be found. Hopefully, the Court will give the European Commission some time to remedy the issues.
Companies should prepare for the likely outcome that the Safe Harbor framework fails to convince the Court of Justice. Given that Safe Harbor is only available as a measure for data transfers to the US, several alternatives are already the primary solution in many other non-EU countries in the world as well as US companies who do not fall under the jurisdiction of the US Federal Trade Commission or Department of Transportation. The main alternatives are:
- To enter into so-called Model Contracts (for importing data processors or controllers) which can be implemented quite quickly, but depending on the circumstances may cause substantial administrative burdens.
- To establish Binding Corporate Rules, but the process to get them approved by European data protection authorities can take many months, and more commonly, years.
- Finally, companies should reconsider whether they need to provide measures to ensure adequate protection for data imports to the United States, because there are a number of scenarios in which such measure are not required. For example, companies might rely on consent of data subjects or the necessity to transfer the data in order to fulfill a contract with the data subjects.
The Safe Harbor framework for data exports to the US is useful, but not indispensable. There are challenging legal issues involved in moving away from Safe Harbor. One issue is caused by the fact that companies will need to continue to process data that was imported under Safe Harbor. These issues will need to be solved in a pragmatic manner.
If the Court decides against Safe Harbor, the framework might still have another chance. The court case runs in parallel to ongoing negotiations between the European Commission and the US Government to review the existing Safe Harbor framework. Today’s events at the Court of Justice will put pressure on the negotiation process, as well potentially on voluntary tightening of Safe Harbor procedures on the US side. However, by the time a revised Safe Harbor framework gets approved by the European Commission, many companies may have already opted for alternative transfer mechanisms. They will probably stay with these alternatives given that Safe Harbor compliance is under the jurisdiction of the Federal Trade Commission and the other alternatives are not.
If the Court follows the Opinion of the Advocate General, the decision might have further consequences. If the main reservation against Safe Harbor lies in the fact that there are no remedies against US surveillance activities, neither Model Clauses nor Binding Corporate Rules can solve the issue. In addition, the same argument would apply to transfers to other countries with extensive government surveillance rights. This would force companies to rely on concepts like consent. In many cases, gaining consent of all data subjects involved might not be feasible, but in some cases it would be. The result of a trend to gain consent for data transfer from the data subject would be that no further safeguards would need to be in place. Whether such a development would serve the protection of personal data exported out of the European Union, can rightly be put into question.