The European Court of Justice (ECJ), the highest court in the European Union (EU), struck down the U.S.-EU Safe Harbor Agreement on Tuesday, October 6th.
The Safe Harbor
Under the terms of the Safe Harbor, American companies were allowed to collect and transfer data from the EU by “self-certifying” to the U.S. Department of Commerce that they were in compliance with seven “privacy principles,” rather than trying to adhere to specific privacy laws in the various EU countries. The agreement was designed to ease the removal of European subjects’ data to the U.S. by American companies.
According to the ECJ, the Safe Harbor Agreement — first approved by the European Commission in 2000 — violated the EU’s Data Protection Directive. Broadly, the Directive forbids the transfer of personal data outside the EU unless the country where the data is being sent has adequate privacy protections. The Directive also requires each EU member state to designate one or more “data protection authorities” (DPA) to monitor the application of the Directive in its particular territory. The Safe Harbor Agreement was previously used as a shortcut or “safe harbor” for American companies to avoid scrutiny by individual DPAs.
The case in which the ECJ just ruled was originally filed by Max Schrems, an Austrian law student challenging Facebook’s removal under the Safe Harbor framework of his personal information from a data center in Ireland to the United States. Schrems was inspired to file the lawsuit after Edward Snowden released documents showing US intelligence agencies mining personal information from the data of U.S. companies. Earlier this year, the High Court of Ireland found Schrems’ claims without merit, but the case was referred to the ECJ. On Tuesday, the Court ruled that American companies removing data from the EU can no longer hide behind Safe Harbor.
Compliance for market researchers after the ECJ court decision
Presumably, now that Safe Harbor has been invalidated, U.S. companies — including survey, opinion and market researchers — are subject to a number of different DPAs across the EU, each of which will be individually responsible for determining whether the United States’ data protections are “adequate.” This makes removal of data from the EU far more complicated and perilous. Theoretically, U.S. companies could be subject to fines previously shielded by Safe Harbor.
Market researchers who had previously “self-certified” under Safe Harbor should consult with an attorney on how to continue removing data from the EU legally. Options may include obtaining consent from data subjects, or including clauses in contracts which govern data removal. Keeping an eye on continuing developments is essential.
We will share further information and guidance as soon as it is available, which may range from countervailing action from the European Commission, or the speedy successful conclusion of trans-Atlantic negotiations for a new Safe Harbor agreement.
The information provided in this document should not be construed as, or substituted for, legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any given laws and legislation and their impact on your particular business.