C&P from Taylor Wessing (Big city legal firm that used to charge me fortunes)
Quote
Safe Harbor R.I.P
Dramatic CJEU ruling declares the Decision which underpins Safe Harbor invalid.
What's the issue?
Last week we reported on Advocate General (AG) Bot's non-binding Opinion in the case of Schrems v Data Protection Commissioner, a reference from the Irish High Court. The AG recommended that Court of Justice of the European Union (CJEU) find:
EU national regulators have the power to "look behind" Safe Harbor and suspend the transfer of data under Safe Harbor if they think the data is not being protected adequately as required by the EU Directive; and
The EU Commission's decision 2000/520 (Decision) establishing Safe Harbor under EU law is invalid because of the lack of protection for EU personal data in the US.
The Opinion caused huge consternation and uncertainty for organisations signed up to Safe Harbor as it put the legal foundation for the transfer of such personal data from the EU to the USA under serious question. As Safe Harbor is currently under renegotiation and a new General Data Protection Regulation is pending, the AG's Opinion was unexpected by many.
What's the development?
In a highly unusual move, the CJEU has handed down judgment within a fortnight (rather than the usual four to six months). It follows the AG Opinion in finding that a regulator cannot be prevented from examining a complaint by virtue of a Commission decision and, crucially, that the Decision is invalid. In other words, the Safe Harbor Principles are no longer presumed to afford an adequate level of protection of personal data.
This means the Safe Harbor principles will no longer bind Member State data protection authorities to allowing transfers of personal data to the US. Any transfer of personal data to the USA based on Safe Harbor will, therefore, potentially be subject to investigation by the regulators and to possible enforcement action.
What does this mean for you?
We expect several Member State regulators to suspend data transfers based on Safe Harbor. If you export personal data to a US entity signed up to Safe Harbor or if your organisation is signed up to Safe Harbor, you will need to find another compliance route. The good news is such routes exist, the bad news is that, for most companies, they take time and money to put in place.
Binding Corporate Rules (which are relevant only to intra-group transfers) can take a year or more to get regulator approval. Model contract clauses should be relatively straightforward to get signed (although compliance may be brought sharply into focus). However, some Member States require model clauses to be filed and even approved by regulators and that takes time. Getting the consent of data subjects to the export of their data is another possibility but many jurisdictions regard true consent as very difficult to achieve, especially retrospectively. In other words, there is no quick and easy fix to the loss of Safe Harbor.
What happens now?
The case in question has been referred back to the Irish Data Protection Commissioner for investigation, at the end of which the Irish regulator may decide whether or not to suspend data flows between Facebook Ireland and Facebook USA. This means that the CJEU has stopped short of suspending data flows itself but has passed the matter back to regulators. The 'rubber stamping' of data transfers under Safe Harbor has gone but data flows can only be suspended by regulators. The implication though, is that in the face of an investigation, if Safe Harbor is the only data export mechanism, the regulator is likely to find that protection is not adequate and to suspend the data transfer.
The prospect of mass enforcement action by all Member State regulators against every US company signed up to Safe Harbor, but without another compliance mechanism in place, looks far-fetched, and we would expect the more pragmatic regulators (UK, Ireland and others) to allow companies time to re-organise their compliance programmes. In countries like Germany where Safe Harbor has long been regarded with suspicion the regulators may not be so generous – they may feel concerns about Safe Harbor have been well flagged and so businesses should be prepared for alternative arrangements by now.
The key message to businesses is to 'get on it' immediately; organisations which are slow to react and are seen to be doing nothing risk attracting regulator attention. Some US companies have already moved away from Safe Harbor as a compliance mechanism as it has been under scrutiny for some time and particularly since the Snowden revelations. Now others will have to follow.
My Summary: The highest court in the EU have upheld a complaint against Facebook that since the revelations about the NSA and similar organisations harvesting data, that the US can no longer be considered a 'safe harbour' for data. It's an important distinction when it comes to EU data law and means EU consumer data can no longer be sent to the US.
In practice, I doubt anything will change in the short term but be aware. If you move personally identifiable data outside the EU to the US, you're now in breach of EU law.
Full judgement.
http://www.politico.eu/wp-content/uploads/2015/10/schrems-judgment.pdf
So, is this at all enforceable? How do you apply a law like this when it comes to something like email?
It's more about what agreements were signed when you sign up. If US companies only relied on the safe harbour agreement as a reason to send personally identifiable information to the US, then they're in trouble. I suspect that isn't the case though and most companies like G, FB etc., all have terms in their agreements covering this.
However, the data only applies to personally identifiable information. Emails are generally private and if mined for data, which the NSA etc revelations seem to show, then they can't be in the US.
At to enforcement risk, I don't think there is much issue for smaller companies in the US but the big boys, who all have major assets and offices within the EU will need to change, if they haven't already.