No Safe Harbor: Why U.S. Companies Must Be Aware of Europe’s Privacy Rules
The European Union has consistently provided its residents greater data protection than the United States. Directive 95/46/EC outlines specific requirements for data protection, including a provision that transfers of personal data to a third country may be allowed only if the third country ensures an adequate level of protection. In 2000, the European Commission determined that the U.S. did not adequately protect personal data; as a stopgap measure, the Commission allowed companies to transfer data related to EU residents to U.S.-based servers, provided the companies certified they were in compliance with EU data protection policies (the “Safe Harbor Decision”).
On October 6, 2015, however, the European Union Court of Justice invalidated this “safe harbor” provision. The challenge came from Maximillian Schrems, an Austrian Facebook user who complained to the Irish supervisory authority. Facebook operates an Irish subsidiary that transfers some or all data from EU subscribers to servers located in the U.S. Schrems argued the information revealed by Edward Snowden in 2013 made clear that the activities of the U.S. National Security Administration provide no protection for private data in the U.S. The ECJ agreed and invalidated the Safe Harbor Decision, noting that “legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” In the end, the ECJ referred the case back to the Irish supervisory authority to determine whether “transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.”
The Federal Trade Commission maintains a list of the 5482 organizations ever certified as compliant with the Safe Harbor Decision. The list spans many industries, from clothing retailers to software providers to cloud storage companies. The impact of the ECJ’s decision on these companies is not immediately apparent, as the EU Member States have been assigned the task of determining whether to suspend data transfers to the U.S. Given the stringent data privacy standards in the EU and its Member States, as well as the suspicion generated in Europe by Snowden’s statements, it is reasonable to assume that at least one Member State will determine that such suspension is warranted.
Companies who are invested in the Safe Harbor process must determine whether data centers for European subsidiaries or entities should be relocated to an EU Member State. Some companies may need to create completely separate policies and procedures for EU-based users. Given the uncertainty of this ruling, small companies that have not yet begun doing business in Europe should consider waiting until more details are known.