Calm Before the Storm? The latest on transatlantic data transfers following the demise of the Safe Harbor Framework

Tuesday, January 5, 2016 - 22:02

On October 6, 2015, the Court of Justice of the European Union (CJEU) effectively invalidated the U.S.–EU Safe Harbor Framework with its decision in Maximilian Schrems v. Data Protection Commissioner. The Safe Harbor Framework was established in 2000 by the U.S. Department of Commerce and the European Commission to permit transfers of personal data from the European Union to the United States in compliance with legal restrictions on such transfers imposed by EU data protection law. 

Despite concerns voiced by EU authorities about the continued stability of the Safe Harbor Framework (concerns that increased following the 2013 Snowden revelations regarding U.S. government access to data), prior to the CJEU’s decision, the Framework had been a popular method utilized by thousands of organizations to facilitate lawful transfers of personal data as needed for their transatlantic business operations. In the immediate wake of Schrems, many of these companies were faced with difficult choices and had little guidance from regulators on how to proceed. This article discusses the fallout resulting from the decision and how affected companies have been coping in the two months since it was issued.


The CJEU’s judgment concerned a complaint brought by Max Schrems, an Austrian citizen who asked the Irish Data Protection Commissioner (DPC) to investigate Facebook’s transfer of his personal data from Ireland to the United States. When the Irish DPC rejected the complaint, citing the fact that Facebook’s data transfers were permitted pursuant to the Safe Harbor Framework, Schrems appealed the decision to the Irish High Court. The High Court in turn applied to the CJEU for a determination regarding whether the Irish DPC could investigate the complaint even though Facebook had self-certified to the Safe Harbor Framework, a data transfer mechanism that had been duly approved by the European Commission as providing “adequate” protection for EU personal data being transferred to the United States.

In its ruling, the CJEU invalidated the European Commission’s adequacy decision with respect to the Safe Harbor Framework, basing its judgment on several factors, including that the Commission’s decision (1) acknowledged that public authorities in the U.S. could have general access to the content of electronic communications; (2) did not indicate that the U.S. had rules in place to limit this type of interference with EU citizens’ rights; and (3) did not provide any evidence of legal protection or recourse for individuals whose personal data might be subject to such access.

In addition, the CJEU ruled that the Irish DPC has the authority to investigate claims such as Schrems’ and that any national data protection authority in the EU can conduct such an investigation, despite the European Commission having made an adequacy determination with respect to the Safe Harbor Framework. 

Although the practical implications of the CJEU’s judgment were (and still are) uncertain for companies that previously had availed themselves of the Safe Harbor Framework to transfer personal data from the EU, in the weeks following the decision a number of European data protection authorities (DPAs) and other regulators issued opinions and guidance. Of particular note, on October 16, 2015, the Article 29 Working Party indicated that, although transfers pursuant to the Safe Harbor Framework were no longer permitted, EU DPAs would allow through the end of January 2016 for a replacement mechanism or alternative solution to be developed. In the interim, other data transfer mechanisms, such as Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs), offered potential alternatives for entities to consider.

Standard Contractual Clauses: A Popular Alternative 

For many organizations that had been using the Safe Harbor Framework to transfer personal data from the EU to the U.S., Standard Contractual Clauses (also referred to as “Model Clauses” or “Model Contracts”) have proven a relatively straightforward and cost-effective alternative. Although identifying the ideal data transfer mechanism in a given scenario requires a fact-specific evaluation of the entities and types of data involved, SCCs generally are considered an “easier” option than BCRs, which typically take a minimum of 18 months to implement following a complex development and approval process that can cost hundreds of thousands of dollars.

SCCs are sets of contract clauses that have been approved by the European Commission for purposes of establishing safeguards to allow for the transfer of personal data from the EU to countries that are not otherwise deemed to provide “adequate” protection for the data (including the U.S.). The European Commission has approved three sets of SCCs: two sets of SCCs for data transfers from one data controller to another data controller, and one set of SCCs for transfers from a data controller to a data processor. The second set of controller-to-controller clauses was developed several years after the first through a negotiation process between the European Commission and business associations, and, accordingly, is said to be more “business friendly” than the first set.

SCCs may be a favorable option for a number of reasons, including that (1) they can be implemented quickly (when used verbatim, they are effectively “preapproved”); (2) they may be used for personal data transfers from the EU to any non-EU jurisdiction (in contrast, the Safe Harbor Framework applied only to EU-U.S. transfers); and (3) SCCs may be established for intracompany transfers as well as for transfers to third parties.  

Although they have not yet been approved for use by the European Commission, in March 2014 the Article 29 Working Party adopted draft SCCs for data transfers from EU processors to non-EU subprocessors. The need for clauses of this nature has become increasingly apparent as companies that formerly relied on the Safe Harbor Framework attempt to put SCCs in place to cover a variety of data transfer arrangements that often do not fit neatly into one of the existing, approved sets.  

Reactions and Guidance from European Data Protection Authorities

Shortly after the CJEU’s Schrems decision was announced, the DPA in the German federal state of Schleswig-Holstein released a position paper emphasizing its skepticism regarding the (lack of) protections afforded personal data under the current U.S. legal regime. Going beyond the CJEU’s ruling, the Schleswig-Holstein DPA indicated that it no longer considered the use of SCCs to offer a valid method for transfers of personal data to the United States.  

About 10 days after that initial reaction, a group of German DPAs representing the federal government and 16 German states issued a lengthy position paper that, among other points:

  • Called into question the validity of both BCRs and SCCs as data transfer mechanisms for sending EU personal data to the United States, on the basis that companies in the U.S. cannot comply with the contractual obligations associated with these mechanisms under current U.S. law; 
  • Stated that they would no longer authorize BCRs or other data export contracts for transfers of personal data from Germany to the U.S. (it is unclear whether the DPAs intend to maintain this position indefinitely, although it appears this moratorium on BCRs is not intended to have retroactive effect); 
  • Emphasized that obtaining the consent of individual(s) for purposes of transferring personal data to the U.S. may be used only “under strict conditions” and may not be used to cover mass or repeated transfers of personal data; 
  • Indicated that they plan to audit personal data transfers based on the implementation of SCCs to assess whether the clauses provide adequate data protection in practice; and 
  • Recommended that companies looking to send personal data from Germany to the U.S. consult two existing resolutions issued in March 2014 (regarding human rights in the electronic communications sector) and October 2014 (on cloud computing).

In contrast to the German DPAs’ position, in mid-November the French data protection authority (the “CNIL”) issued advice and a set of FAQs regarding valid bases for personal data transfers from France to the U.S. post-Schrems. In its guidance, the CNIL indicated that SCCs could be used in place of the invalidated Safe Harbor Framework until a replacement mechanism has been established. Specifically, the CNIL stated that SCCs were a preferable alternative to the use of BCRs given the time and effort required to develop and implement BCRs. The FAQs also state that, although signed SCCs need not be sent to the CNIL, it is incumbent upon organizations to maintain a copy of the SCCs that can be made available to the CNIL. 

Separately, the Spanish data protection authority (the “AEPD”) sent letters in early November to companies that had previously registered data transfers to the U.S. pursuant to the Safe Harbor Framework. The letters (1) informed the companies that the Safe Harbor Framework was no longer valid and thus they needed to make alternate arrangements for their data transfers; and (2) ordered the companies to report back to the AEPD by the end of January 2016 with information regarding the data transfer mechanism(s) the company had implemented to replace the Safe Harbor Framework. The AEPD’s letter further stated that SCCs may be used, but they must be authorized by the AEPD, and it warned that enforcement actions resulting in fines and/or injunctions preventing data transfers may result if the companies do not provide the relevant information. 

Going Forward

Although it is beginning to seem unlikely that a suitable, permanent replacement for the Safe Harbor Framework will be secured before the unofficial January 31, 2016 deadline set by the Article 29 Working Party, there is optimism on both sides of the Atlantic that a negotiated solution is possible. That said, debates concerning intelligence gathering for law enforcement purposes following the November 2015 terrorist attacks in Paris, as well as the December 17 release of the final draft of the revised EU General Data Protection Regulation, have added to an already complicated legal landscape. For multinationals doing business across the pond, 2016 promises to be an eventful and challenging year for compliance.


Melinda McLellanCounsel in the New York office of