The Court of Justice of the European Union (CJEU) issued its landmark decision in Maximillian Schrems v. Data Protection Commissioner on October 6, 2015, ultimately invalidating the U.S.-EU Safe Harbor Framework.

Under national implementations of EU data protection law, a legal framework which broadly regulates all data relating to an identified or identifiable individual, it is prohibited to transfer or send personal data outside of the European Economic Area unless the destination country provides an “adequate” level of protection, as determined by the European Commission or a competent Member State data protection authority.  The U.S.-EU Safe Harbor Framework, which was adopted pursuant to a decision by the European Commission, declared the United States an “adequate” destination for personal data so long as companies self-certified that they complied with a set of data protection principles similar to principles found under EU data protection law.

Following revelations made by Edward Snowden and European concerns over U.S. national security laws, the CJEU has now held that the European Commission failed to ensure that U.S. law provides “a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.”  With that ruling, the CJEU struck down the U.S.-EU Safe Harbor Framework as a lawful means of transferring personal data from the EU to the U.S.

Approximately 4,500 companies operating in the United States have self-certified under the U.S.-EU Safe Harbor Framework as a way to legitimately transfer personal data from the European Union.  Each of these companies will now need to find an alternative method to lawfully transfer personal data.  Current alternatives exist, such as (1) EU Model Contracts, standard form non-negotiable agreements that imposes EU-like data protection obligations through contract; and (2) Binding Corporate Rules, binding self-governance rules that are adopted by companies and approved by the Member States.  Keep in mind that these alternatives, particularly Binding Corporate Rules, have unique complexities and require careful thought and time.

Unfortunately, there is no one-size-fits-all response to how companies should move forward following the CJEU’s decision.  Given the legal uncertainty and speculation among the data protection and privacy community, we provide guidance to help companies grapple with these issues:

• You are not alone.  Each of the approximately 4,500 previously Safe Harbor-certified companies is in the same situation.  The decision is effective immediately, but regulators have indicated informally that there will be a grace period to allow companies to achieve compliance.

• Information is on its way.  European data protection authorities are convening and should provide guidance on how companies that are certified under the U.S.-EU Safe Harbor Framework can comply with EU data transfer obligations now that the U.S.-EU Safe Harbor Framework is unavailable.

• There is a new Safe Harbor Framework on the horizon.  For the past two years, the EU and the U.S. have been in negotiations regarding a revised Safe Harbor Framework.  The UK data protection authority reported yesterday that these negotiations are “well advanced.”

• The EU and the U.S. are working together to find ways to lawfully transfer personal data across regimes.  In September, the EU and the U.S. entered into a new “Umbrella Agreement” on the protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offenses.  This Umbrella Agreement, along with other potential legal reforms, should help address European concerns over U.S. national security laws.

• The EU is revising its data protection legislation.  Since 2012, the EU has engaged in a lengthy review of its data protection framework and is expected to introduce a new generally applicable regulation by the end of this calendar year. This new law will take effect two years after official publication and will replace existing data protection law and refine existing data transfer mechanisms. 

We recognize that companies will be unsettled about being in a state of noncompliance with EU data transfer laws while a new compliance regime is worked out.  Some companies may choose to adopt one of the alternative compliance measures noted above to meet customer expectations or other needs. For other companies, patience may be the only option.  In all cases, we recommend that companies reach out to counsel and carefully consider relevant information and options before committing to any particular course of action.

© 2015 Perkins Coie LLP