The Safe Harbor Principles: What They Were and What Their Invalidation Means

November, 2015

Share with:

Silvia Raithel, Vol. 37 Associate Editor

In 1995, the European Parliament and Council passed the Data Protection Directive (Directive 95/46/EC) (the “Directive”).[1] The Directive requires that the transfer of personal data out of the European Economic Area to another country only take place if the other country ensures an adequate level of protection for the data.[2]  Adequate protection can be established by virtue of a country’s domestic law or international commitments.[3] On July 21, 2000, in order to meet the level of data protection required under the Directive, so as to facilitate data transfers from the European Economic Area to the United States, the United States Department of Commerce issued the “Safe Harbor Privacy Principles” (the “Principles”).[4] Organizations could voluntarily and publically adhere to the Principles.[5] On July 26, 2000, the European Commission (the “Commission”) held in European Commission Decision 2000/520 that the Principles provided adequate protection for personal data.[6] As a result U.S. organizations that voluntarily and publically adhered to the Principles could receive personal data transfers from the European Economic Area. On October 6, 2015, the Court of Justice of the European Union (the “Court”), in Maximillian Schrems v. Data Protection Commissioner (Case C-362/14) (“Schrems’ Case”), held that European Commission Decision 2000/520 was invalid.[7] Essentially, the Court decided that the Principles did in fact not provide for an adequate level of protection for personal data,[8] and that, therefore, U.S. organizations could not receive personal data transfers from the European Economic Area by virtue of their voluntary adherence to the Principles. One reason that the Court invalidated European Commission Decision 2000/520 was its belief that the Principles did not protect the personal data of European citizens from interference by the public authorities of the United States. The Court noted that only organizations that voluntarily adhered to the Principles were subject to them.[9] U.S. public authorities were not subject to the Principles.[10] The court also noted that national security, public interest, and law enforcement requirements of the United States superseded the Principles.[11] Thus, organizations that voluntarily adhered to the Principles were required to disregard them if they conflicted with the national security, public interest, or law enforcement requirements of the United States.[12] The Court Opined that this enabled unacceptable interference, by the public authorities of the United States, with the fundamental privacy rights of European citizens.[13] The potential impact of the Court’s decision in Schrems’ Case could be quite significant due, not in small part, to the large amount of personal data transferred to the United States from the European Economic Area by U.S. organizations. Aside from the personal data transferred by organizations like Facebook, personal data such as employee and client files are transferred on a regular basis. For the time being, until the United States and the European Union can agree on new safe harbor principles, the transfer of personal data from the European Economic Area to the United States can still be accomplished through more arduous means such as through binding corporate rules and model contracts.[14]  However, these means may prove to be too resource-intensive for many small organizations that relied on the Principles.[15] Only time will tell the full extent of the impact of Schrems’ Case.

[1] Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data,  2000 O.J. (L 281) 1, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML. [2] Courtney Bowman, US-EU Safe Harbor Invalidated: What Now?, Proskauer (October 6, 2015), http://privacylaw.proskauer.com/2015/10/articles/european-union/us-eu-safe-harbor-invalidated-what-now/. [3] Court of Justice of the European Union Press Release No 117/15, The Court of Justice Declares that the Commission’s US Safe Harbour Decision is Invalid (Oct. 6, 2015), http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf [hereinafter Press Release]. [4] Commission Decision (EC) No. 2000/520, 2000 O.J. (L 215) 1, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML. [5] Id. [6] Id. [7] Press Release, supra note 3. [8] Id. [9] Id. [10] Id. [11] Id. [12] Id. [13] Id. [14] Bowman, supra note 2. [15] Id.