The European Court of Justice (ECJ) has ruled that national data protection authorities (DPAs) are free to decide whether the US is a safe destination for the personal data of EU citizens. This ruling enables DPAs to override the Safe Harbor agreement which allows US businesses to transfer personal data with minimal regulatory burden.
The ruling hardly comes as a surprise: In the last few years, large-scale privacy breaches in the US have emerged, causing policymakers to question the effectiveness of Safe Harbor. Recent deals between US and EU authorities suggest that disruptions are likely to occur in the short term, but a new agreement on data protection frameworks could well be possible in the near future.
The Umbrella Agreement shows that US and EU legislators can cooperate on data protection regulation
Although the ECJ’s ruling is a blow to the current regime of personal data transfer from the EU to the US, it is hard to argue that nobody could see it coming. The number of headline-making privacy scandals has risen in the past two years and regulators have taken significant steps to reform and update data protection rules – particularly in Europe, where a comprehensive overhaul of the current framework is about to be finalized.
Not many, however, were expecting a court to step in and rule the Safe Harbor agreement invalid; but the effect of yesterday’s ruling was only to accelerate a process that was already happening, because in the last two years EU policymakers have repeatedly questioned the effectiveness of the agreement. In its current form, Safe Harbor is a self-regulatory regime under which US companies can easily transfer the personal data of EU citizens to the US, as long as they commit to guaranteeing adequate safeguards.
The ECJ’s decision doesn’t scrap Safe Harbor entirely and immediately, but it empowers national DPAs to decide independently whether the US is a safe destination for personal data. Based on the current EU framework for data protection, in cases where a DPA considers the US not to be safe, additional safeguards will be required for the data transfer to take place. These safeguards may take the form of appropriate contract clauses or of the unambiguous consent of the data subject (i.e. the end user). As a result, compliance costs may go up in the short term for businesses transferring personal data to the US.
However, some recent agreements between the EU and US authorities are promising and could lead to a better framework in the future. The recent deal on the “Umbrella Agreement,” which will provide stronger safeguards in the use of personal data to tackle crime, is a sign that US institutions are now more willing to grant the appropriate level of protection to EU citizens’ personal data and provide them with the appropriate judicial redress where needed. This could set a positive precedent and make it possible to replace the now outdated Safe Harbor relatively quickly.
Data Protection Tracker 1Q15, TE0007-000867 (January 2015)
“Reforming data protection legislation will require greater international cooperation,” TE0007-000938 (September 2015)
Current Status and Future Developments in Data Protection, TE0007-000812 (August 2014)
Luca Schiavoni, Senior Analyst, Regulation