The agreement that allowed the transfer of personal data between businesses in the United States and the European Union was invalidated by the European Court of Justice on October 6, 2015. This “safe harbor” agreement had been in place since 2000. The Court’s decision throws into doubt the data collection and transfer practices of countless US businesses.
The safe harbor agreement was necessary because, under the European Data Protection Directive, the US is not considered to be a country with adequate data protection laws. The safe harbor agreement set up a framework through which a US company could self-certify with the US Department of Commerce that its data protection policies met the threshold required to protect EU citizens’ data.
The Court’s decision came about as a result of the disclosures by Edward Snowden of the US National Security Agency surveillance programs. Revelations that the US government collected information directly from US companies such as Facebook, Google, AT&T and others led to an EU citizen requesting that the safe harbor framework be re-examined. The case specifically related to Facebook, whose EU operations are based in Ireland. The case requested that the Irish Data Protection Authority examine whether the safe harbor system was still effective at protecting EU citizen’s data. The Irish Data Protection Authority decided that it could not investigate the matter. Because Facebook’s data collection policies were compliant with the safe harbor, the Irish Data Protection Authority did not have jurisdiction to investigate. On appeal, however, the European Court of Justice determined that the safe harbor framework is insufficient to protect EU citizens and is thus invalid.
The US and the EU have been negotiating a new safe harbor arrangement for over two years, but no agreement has been reached. In the short term, the European Court of Justice’s decision means that US companies will have to address the transfer of personal information through model contracts or binding corporate rules. Model contracts are binding contracts stating that anyone outside the EU will commit to the same level of protection as the EU Data Protection Directive. Binding corporate rules enable multinational companies to move data between the US and EU companies.
Taft has a wealth of experience drafting model contracts and implementing binding corporate rules to satisfy the EU Data Protection Directive. Please contact us if you would like to discuss our services.