A confluence of events has tested the strength of the Safe Harbor Framework and for now, it is no longer a port in the storm. Most recently, on October 6, 2015, the Court of Justice of the European Union(CJEU) invalidated the Safe Harbor Framework in Schrems v. Data Protection Commissioner (Case C-362/14), concluding that the European Commission exceeded its authority by approving the Safe Harbor Framework in 2000. As predicted, the CJEU's decision followed the recent non-binding opinion of the EU's Advocate General, who argued that the Framework "must be declared invalid." The decision also comes in the midst of negotiations between the U.S. and the EU that have been ongoing since 2014, after the European Commission released recommendations for improving the Safe Harbor Framework following widespread media reports of U.S. surveillance activities.
Thousands of corporations that rely on the Safe Harbor to legitimize transfers of personal data from Europe to the U.S. are left wondering how to make sense of these events and what the pathway forwardis. While the European Commission has promised guidance in the coming weeks, some local Data Protection Authorities ("DPAs")in EU Member States have released statements urging companies to "stay calm" and take a pragmatic approach. This paper provides an overview of where this decision brings us today, and where companies can go from here.
Background on Safe Harbor
Originally established in 2000 by agreement between the United States and the European Union, the Safe Harbor Framework ("Framework") was designed to facilitate the open flow of data from the EU to the U.S. The agreement was necessary because five years earlier, the EU had adopted the Directive 95/46/EC ("Directive"), establishing the European "adequacy" standard for privacy protection. The Directive prohibits, among other things, the transfer of personal data gathered within the EU for commercial purposes to locations outside the EU, unless such locations demonstrate an "adequate" level of data protection commensurate with EU standards. "Personal data" is defined broadly under the Directive "to include any information relating to an identified or identifiable natural person," meaning that even relatively mundane information like payroll and company phone books can be considered personal data.
To this day, the EU does not recognize the U.S. as providing an adequate level of protection for personal data, and thus transfers, of personal data from the EU to the U.S. generally are prohibited unless the organization takes approved steps to legalize (also called "legitimize") the transfers. Up until the CJEU's October 6, 2015, decision, one such approved step was self-certification to the Framework.
The Safe Harbor Framework and Principles
At its core, the Framework is a self-regulatory regime whereby U.S. organizations could self-certify their compliance with seven Safe Harbor Privacy Principles ("Principles"), including the principles of notice, choice, security and enforcement.1 After undertaking this self-certification, the U.S. organization enjoyed a binding presumption of "adequacy," and the organization could lawfully transfer personal data from the EU to the U.S. pursuant to the certification.
Given the Directive's broad definition of personal data, many companies that must send data from the EU to the U.S. (including EU companies that use servers located in the U.S.) chose to rely on the Safe Harbor for their everyday operations and free flow of data within the organization across jurisdictional lines. In the 15 years since the Framework was established to facilitate the transfer of personal data between the U.S. and EU, the number of participating organizations steadily increased from under 1,000 in 2005 to around 3,200 in 2013 and roughly 5,500 today.2
Approved by the European Commission in Decision 2000/520/EC, the Framework is administered by the U.S. Department of Commerce. The U.S. Federal Trade Commission ("FTC") oversees enforcement.3 The FTC has the ability to...