As we reported in our recent blog the Attorney General (AG) of the Court of Justice of the European Union (CJEU) has recently issued an opinion throwing serious doubt on the validity of the US “Safe Harbor Scheme”. As we predicted the AG’s opinion was followed in large part by the full CJEU. This means that the CJEU has declared the US Safe Harbor Scheme to be invalid.
The CJEU’s decision focused on the derogation in Safe Harbor which allowed data to be passed to the US National Security Agency (NSA) and other US Government agencies. The CJEU held that this very generalised access to personal data, with no or little right of redress for European citizens whose data had been disclosed to a US government agency, meant that the US did not ensure an adequate level of protection for the data.
There was however some better news for companies from the CJEU. Its judgment deviated from the AG’s opinion who had said that it would be open to national Data Protection Authorities to question whether or not other non-EEA countries provided an adequate level of protection for personal data. However, the CJEU confirmed that it is the only body with the power to review decisions of the EU Commission approving international transfers of data. What this means in practice is that if, as now seems likely, a Safe Harbor II comes into being, then it will not be susceptible to being ruled invalid on a country by country basis which would of course leave users with a considerable amount of uncertainty, but that any questions of validity will need to be decided centrally by the CJEU.
If taken at face value the CJEU’s decision means the (at least temporary) end to large parts of the internet and a serious threat to many companies operating in the cloud, as large volumes of cross border data transfers have routinely relied on Safe Harbor.
The reality is however that prosecutions are very unlikely at this stage. Guidance on what to do in practice will be forthcoming fairly shortly from national Data Protection Authorities and from the Article 29 Working Party (a grouping of the national Data Protection Authorities of the EU).
It is however not clear how far we are away from a Safe Harbor II which largely depends on negotiations between the EU Commission and the US Department of Commerce which may take some time. It is therefore likely that the companies will need to review how they transfer data outside of the EEA and particularly to the US and we touched on a number of potential options in our earlier blog with the adoption of the Commission’s model clauses looking to be the favourite solution in the short to medium term. At this stage however the better view is not to do anything until formal guidance is issued but companies should at least be prepared to make changes in the way that they handle cross border data transfers.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a limited liability partnership registered in England and Wales (No. OC326366) and is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office: 2 Stone Buildings, Lincoln's Inn, London WC2A 3TH. "Partner" denotes a member of the LLP or an employee or consultant with the equivalent standing. Our privacy notice which we are obliged to give you under the GDPR is available here.