The safe harbour was a convenient fiction that enabled business-as-usual processes to take place between the EU and the U.S. Many were shocked when the Court of Justice of the European Union (CJEU) ruled it invalid, but in reality, the judgment should not have come as a surprise.
The reasoning of the court was very clear – from a “black letter” legal perspective, U.S. laws do not give individuals the level of privacy expected and provided for under EU law as to the extent to which law enforcement agencies can access data.
The judgment says: "A number of revelations have recently brought to light the existence of large-scale information-gathering programmes in the United States. Those revelations have given rise to serious concerns as to whether the requirements of EU law are observed when personal data is transferred to undertakings established in the United States." The ruling is a direct consequence of the Snowden revelations.
But while from a strict legal perspective it is understandable why the court came to the conclusion that it did, it is unfortunate that the judgment pays little regard to the untenable impractical circumstances it creates. Businesses that rely on the safe harbour must immediately find an alternative basis on which to transfer data between the two trading zones, where the only alternatives that exist are costly and difficult to implement.
One alternative is to renegotiate contracts on which transfers are based so that they include “model clauses” approved by the European Commission (EC). While some EU member state regulators, of most significance those in Germany, have suggested that these model clauses should also be struck down as invalid on the same basis that the safe harbour agreement has been invalidated, the EC has made it very clear that local regulators do not have the authority to overrule an EC decision. Invalidating EC model clauses could only occur if the CJEU were to judge them invalid.
The bottom line is that any business that relies on the safe harbour can now begin the process of renegotiating contracts so that they include the EC's model clauses. However, convincing an existing third party provider to agree to new terms is almost always going to involve a costly lengthy process and a high level of uncertainty.
For intra-company transfers, businesses can put in place “binding corporate rules.” Experience indicates though that this is not a simple process and can take more than 12 months before regulator approvals are given.
Safe harbour 2.0
While the EC is hopeful that a new safe harbour can be finalised within three months, it will need to address the CJEU's two central concerns. First, that United States intelligence services can access data in an "indiscriminate generalised manner." The new safe harbour will fail if it still enables U.S. intelligence agencies to access data relating to "all persons and all means of electronic communication and all the data transferred, including the content of the communications." Specific limitations will therefore need to be set out in the agreement.
Second, the new safe harbour must include appropriate guarantees to protect EU citizens. While U.S. citizens and legal residents have a judicial remedy under section 702 of the Foreign Intelligence Surveillance Act of 1978 against government surveillance, EU citizens do not have similar rights. An independent body of an equivalent status to the FTC or FISC and a mechanism to enable EU citizens to initiate complaints to such a body would address the court's concerns.
The data protection regulators of the EU member states, through their collective association known as “the Article 29 Working Party,” have indicated that they will not take enforcement action until the end of January 2016 to allow businesses to put alternative arrangements in place. But as the CJEU's concerns are not matters that the U.S. negotiators can likely quickly address, holding out for a new safe harbour may be a high-risk strategy. This may particularly be so for businesses transferring data to and from EU countries more sensitive to the issue, like Germany.