The End of a Safe Harbor: The Schrems Decision Calls for Stricter Standards for Protection of Personal Data Transferred to the US

Traci Biedermann
J.D. Candidate, Columbia Law School, 2017

Scrutiny of the United States’ measures for protection of personal data from government surveillance has increased following Snowden’s revelations regarding the National Security Agency (NSA). In fact, these revelations are still making ripples in the area of data protection, one such being the case of Schrems v. Data Protection Commissioner (Case C-362/14). Fearing that his data was being improperly protected after transmission to the US by Facebook, Maximillian Schrems, filed a complaint alleging that the US did not have adequate protections against government surveillance of his personal data.

Under the EU Data Protection Directive (95/46/EC), personal data cannot be transferred to countries outside of the European Economic Area (EEA) unless the receiving countries’ data protection measures are deemed adequate. EU Commission Decision 2000/520/EC, however, changed the game by establishing the Safe Harbor framework between the EU and US. These Safe Harbor provisions allowed US companies to self-certify that they would provide adequate protections of personal data transferred to the US in compliance with the principles outlined in the safe harbor framework. This was efficient for US companies, since they could self-certify adequate protection no matter what country in the EU the personal data was originating from. The Schrems case challenged the Safe Harbor decision.

Ireland’s High Court first examined Schrems’ case, which was stayed when the High Court realized that Decision 2000/520/EC was being contested. When the European Court of Justice took on the case, it determined that it could review Commission Decision 2000/520/EC and invalidated it. The court reasoned that “protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary . . . Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made . . . .”[1] This decision eliminated the almost 16 year-old Safe Harbor.

Although it began with Facebook, the Schrems decision will impact all sorts of companies, not just social media companies. Many companies, for example, transfer employment and other types of data from the EU to the US for human resources purposes, relying almost entirely on the old safe harbor procedures prior to Schrems. Although the extent of impact the Schrems decision will have is still not fully known, many companies are finding alternatives for transferring data in compliance with EU laws. Two such alternatives include binding corporate rules (BCRs) and model contracts/model contractual clauses.

BCRs are internal rules used by companies to ensure adequate safeguards with respect to transferred personal data. Working Papers 153, 154, and 155 of the Article 29 Data Protection Working Party provides companies with guidance on what compliant BCRs should include. Some of the recommended elements include: a description on how the BCRs are made binding on different entities of the company as well as its employees, confirmation of the existence of a complaint handling procedure, a means of auditing compliance, a description of the data transfers covered as well as the privacy principles covering such transfers (i.e.: restrictions regarding onward transfers, rights of access, etc.), and an acknowledgment of a duty to cooperate with data protection authorities. These rules must pass through an approval procedure to ensure adequate compliance.

The procedure begins with designation of a leading authority from amongst the data protection authorities (DPAs). The location of the company’s European headquarters and other factors should be considered in making the selection. Once a designation is made, the company must submit a draft of its BCRs to the leading authority for comments on their adequacy. If deemed inadequate, the company must amend the BCRs according to the comments. If deemed acceptable by the leading authority, the BCRs are then circulated to any relevant DPAs. Under mutual recognition, acceptance by the leading authority is sufficient for any covered DPAs. However, the remaining DPAs (not included in mutual recognition) must also approve the BCRs. Once finalized, the company can begin requesting authorization of data transfers. The entire procedure, unfortunately, can take up to 12 months to complete.

Model contracts/contractual clauses involve the use of standard contractual clauses. The Commission, under the authority of the Council and European Parliament, has issued three decisions providing standard contractual clauses that provide adequate safeguards. Two sets regard the transfer of data to non-EU data controllers (Decision 2001/497/EC and Decision 2004/915/EC), and the final covers data transfers to non-EU processors (Decision 2010/87/EU).

While these alternatives represent viable options for many large companies, who will likely not feel the brunt of the blow, smaller companies (SME’s) with limited resources, on the other hand, may not be so lucky. Without the vast resources of large companies, these companies may now be forced to cease the transfer of personal data to the US. This disproportionate impact could have economic repercussions in the future.

In the end, an ideal solution would be implementation of some new agreement or new safe harbor framework. This would likely need to entail stricter restrictions on U.S. government access to transferred data. While a new safe harbor framework has been in the works for some time, it is hard to say if or when it will come to fruition. While we wait for a more comprehensive solution, companies will have to stop the transfer of personal data from the EU to the US, an extremely unlikely outcome, or make use of available alternatives, such as model contractual clauses and BCRs.

Featured image source:

[1] Schrems v. Data Protection Commissioner, Case C-362/14, EU:C:2015:650, ¶¶92-93.