European Union Declares Data

Security Framework Invalid

Decision could impact thousands of businesses, including ATP members


On October 6, 2015, the Court of Justice of the European Union declared invalid the more than 15-year-old EU-U.S. Safe Harbor Framework. Thousands of businesses have relied upon the Safe Harbor Framework to ensure that transfers of employee, consumer, user and other personal data from the EU to the U.S. for storage or processing are compliant with the EU's strict data privacy rules. However, now with the EU high court's decision, there is significant uncertainty on both sides of the Atlantic, as stakeholders must assess the operational, practical, and legal implications of EU-to-U.S. data transfers in the absence of the protections of the Safe Harbor Framework. For background on this issue download the attached article reprinted by permission of the authors.

According to ATP's Legislative Counsel Alan Thiemann, "The October 6 decision stems from a complaint made by an Austrian citizen in 2013 against Facebook. As is the case with any subscriber residing in the EU, some or all of the data provided to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed.  In holding that the laws and practices of the United States do not offer sufficient protection against illegal surveillance by the public authorities (i.e., the NSA) of the data transferred to the U.S., the EU Court of Justice found that the existing EU-US Safe Harbor agreement is invalid. Consequently, the Court ordered that the Irish supervisory authority is required to investigate the complaint against Facebook and decide whether, Facebook is in violation of the EU data privacy directive, and if so, what penalties should be imposed, including fines and/or suspension of options."

Thiemann added, "This decision is of particularly severe impact on service providers that have multi-national dealings involving the capture and use of data of EU citizens (approximately 4500 U.S. companies rely on the Safe Harbor). Of critical importance, though, the decision does NOT order an immediate end to use of the Safe Harbor for personal data transfers -- rather it only means that any EU country's regulators have the right to investigate such complaints and to issue fines and suspend a company's reliance on the Safe Harbor if it finds that the company is transferring data without sufficient privacy.  Of course, any investigation will create a costly legal nightmare, so it is prudent to try to take preventative steps.  At a minimum, ATP members should begin to consider how they can demonstrate that they in fact provide sufficient privacy using alternative methods beyond the Safe Harbor. Some larger IT companies are already responding by expanding their data centers in Europe, but smaller companies are going to find it prohibitively expensive to build their own facilities in Europe or pay some third party that has such facilities. Another option might be to use so-called "model contracts" approved by specific EU countries, or the company could attempt to seek advance approval from each individual EU country -- a process that could take years." 

Thiemann noted that ATP will continue to monitor this issues as further information on alternative options for demonstrating data privacy are developed.  "As discussed in the attached article, U.S. and EU regulators have been negotiating over a new, tougher Safe Harbor Agreement for some time now -- but there is no definitive date for any new agreement," he concluded.