ECJ declared data transfer to US illegal
On 6 October 2015, the Court of Justice of the European Union (ECJ) ruled that the Irish Data Protection Commissioner is obliged to investigate Facebook’s data transfer from Ireland to the US. In addition, the court held that the EU Commission’s “Safe Harbor” decision (Decision 2000/520) was invalid, rendering the majority of data transfers from the EU to the US illegal (Court of Justice of the European Union, judgment of 6 October 2015, Schrems vs. Irish Data Protection Commissioner, C-362/14).

In 2013, Austrian student Maximilian Schrems asked the Irish data protection commissioner to investigate Facebook’s data transfer to the US. The commissioner refused, saying data transfers to the US were covered by the EU Commission’s Safe Harbor decision. Schrems brought suit to the Irish High Court, which referred the matter to the ECJ.

In its judgment rendered on 6 October 2015, the ECJ not only ruled that the data protection commissioner has to investigate Facebook’s data transfer, but that the entire “Safe Harbor” decision was invalid, stating that EU citizens’ personal data transferred to the US would become subject to excessive surveillance measures by intelligence agencies. The EU Commission’s Safe Harbor decision from 2000 violated EU citizens’ fundamental rights by not taking into account US security agencies’ massive surveillance.

What is Safe Harbor?
EU law only allows the export of personal data to other countries outside the EU if those countries provide adequate privacy protection. According to EU law, the US in general does not provide such adequate protection. In contrast to the EU, data privacy is not a fundamental right in the US and there are no comprehensive laws protecting privacy. To facilitate data transfer to the US, the EU Commission rendered the Safe Harbor decision in 2000 consisting of seven principles US companies must adhere to. Safe Harbor requires self-certification by the US company and registration with the Federal Trade Commission. To date, more than 5,000 US companies have made use of this self-certification to facilitate transfer of personal data.

What is the impact of the ECJ ruling?
Although the Court requires the Irish Data Protection Commissioner to investigate Facebook’s data transfer, the ECJ ruling is unlikely to have much impact on Facebook. Facebook’s data transfer to the US is not based on Safe Harbor, but user consent.

The ruling mostly affects companies from other business sectors. Safe Harbor was by far the most important legal means to enable data transfer to the US. Many US companies with branches in Europe or European companies with subsidiaries in the US rely on this very practical and easy-to-handle programme. Moreover, many mid-sized companies doing business with the US rely on the US company’s Safe Harbor certification to transfer personal data.

Small- and medium-sized German and other European companies using the services of large US cloud providers are also affected, since such services are often based on the provider’s Safe Harbor certificate allowing data flows to the US.

From 6 October 2015 onwards, Safe Harbor is no longer a legal basis for such data processing.

The ruling’s immediate effect
The ECJ ruling came as a surprise. Schrems, in his lawsuit before the Irish High Court, only implicitly challenged the Safe Harbor decision, but wanted the data commissioner to investigate Facebook’s data transfer in general. Following the court hearing in March 2015, the Advocate General moved to declare the Safe Harbor decision invalid in his opinion issued on 23 September 2015.

EU data protection authorities (DPAs) will apply the ruling immediately. For one thing, the ECJ ruling is binding, making all such data transfer illegal as of 6 October 2015; for another, German data protection authorities could refer to their own declaration issued in July 2013, criticising Safe Harbor and calling on the EU Commission to suspend it following the Snowden revelations.

On 16 October 2015, the Article 29 Working Party, which consists of EU data protection commissioners, announced that the data protection authorities will take all necessary and appropriate action, including enforcement, if no appropriate solution is reached with the US authorities by the end of January 2016.

Legal means to transfer data
All companies transferring data to the US have to review their data transfer policy immediately. All data transfer based on the Safe Harbor decision is now illegal and could result in hefty fines.

On 6 November 2015, the European Commission issued a communication to the European Parliament and the Council dealing with the consequences of the ECJ ruling. The Commission stated that whereas the court invalidated the Commission’s Safe Harbor decision, there are several alternative means that can be used by companies for lawful data transfers to third countries such as the United States.

The Commission stressed that Article 26 of directive 95/46/EC provides for a number of alternative grounds on which transfers could nevertheless take place. By far the most important means of operating data transfer will be the standard contract clauses (“SCC”).

To facilitate international data transfers, the Commission had approved four sets of standard contract clauses between 2001 and 2010 that meet the requirements of Article 26 para 2 of the directive. Two sets of these model clauses cover transfers between controllers, whereas the other two sets relate to transfers between a controller and the processor. When using such EU model clauses, the parties must detail, inter alia, the kind of transferred data, the purposes of processing and the measures taken to protect such data. Several additional requirements have to be observed to allow data transfer to the US recipient.

EU Standard Contractual Clauses
In its statement of 6 November 2015, the Commission made clear that its decisions approving SCCs are - like all commission decisions - binding in their entirety for member states; national data protection authorities are obliged to accept these standard clauses. Consequently, national data protection authorities must not refuse data transfer to third countries solely on the basis that standard contractual clauses do not contain the necessary safeguards.

US companies doing business in Europe, in Germany in particular, should prepare EU SCC and should be ready to enter into such clauses to allow data export by their European trade partners. The same applies to US companies with European branches or subsidiaries.

The DPAs have announced enforcement measures beginning in February 2016. In practice, despite their criticism of the legal situation in the US, national authorities will not be able to prevent EU companies or groups from transferring data to the US using SCC.

However, all such data transfer will come under close scrutiny by DPAs, which will thoroughly check whether SCCs are applied correctly and all legal requirements regarding data transfer are met. Companies must be aware that DPAs will halt any transfer and impose heavy fines if these requirements are not fulfilled.

What now?
Until 6 October 2015, many German and European companies transferring data to the US and their US recipients could rely on the US recipient’s Safe Harbor certificate for transfer of personal data. Since the ECJ ruling Safe Harbor is no longer a legal basis for data transfer. European and US companies as well as international groups will first and foremost suffer from the consequences of the conflicts between US and EU law. It is of utmost importance for both EU and US authorities to find appropriate solutions. In the meantime, companies have to thoroughly review their data transfer policy and give such data transfers their full attention to ensure compliance with the EU legal framework.

Arnd Böken, Berlin