In early October 2015, the Court of Justice of the European Union (CJEU) in the Schrems and Facebook case, declared the EU-US Safe Harbor invalid. The CJEU ruling stunned many businesses and organizations throughout the world. For the past 15 years, the Safe Harbor Program had made it easy for businesses established in the United States and the European Economic Area (EEA) to exchange personal data in the ordinary course of business. It was the simplest and most business friendly method for addressing the prohibition against cross-border data transfers to countries that do not offer adequate protection of privacy rights and personal data, a prohibition that is common to all data protection laws of EEA member states.
Since the issuance of the ruling, a flurry of activity has occurred. Numerous reactions and comments have been published. Two of the most notable statements issued by the Article 29 Working Party and by the Israeli Law, Information and Technology Authority require that US companies involved in international exchanges of personal data with the EMEA Region react promptly to the invalidation of the Safe Harbor Program, so that they establish alternative measures to address the void left by this invalidation.
On October 15, 2015 the Article 29 Working Party (A29) – the umbrella organization that encompasses the Data Protection Commissioners of the 31 EEA Member States – published its initial reaction to the CJEU ruling. The A29 confirmed that the invalidation of the Safe Harbor Program is effective immediately. In addition, it warned that if, by January 2016, the United States and the European Union have not reached a satisfactory agreement that incorporates certain elements identified in the A29 statement, the EEA Data Protection Authorities will commence enforcement actions against illegal cross border data transfers.
Israel Revokes its Acceptance of the Us EU Safe Harbor
Now, on October 19 2015 the Israeli Law, Information and Technology Authority (ILITA), the country’s data protection authority, announced that, in view of the CJEU ruling invalidating the EU-US Safe Harbor, it would cease treating a US company’s self-certification under the EU–US Safe Harbor as a ground for granting derogations to its own prohibition against crossborder data transfers out of Israel. In other words, Israeli companies that relied on the fact that a US company was listed on the Safe Harbor List of the US Department of Commerce can no longer do so to justify the legality of their transfer of data to the United States.
In a long statement analyzing the CJEU case, the ILITA announced that it revoked its prior authorization permitting the transfer of personal data from Israel to those organizations in the United States that certified under the EU-US Safe Harbor. In keeping with the data protection legislation enacted throughout the EEA, the Israel Privacy Protection Regulations (Transfer of Data to Databases Abroad) 2001 restricts the transfer of personal data outside the country unless the recipient country ensures a level of data protection that is no lesser than that provided under Israeli law, or one of the derogations in Section 2 of the 2001 Regulations applies.
Up until very recently, the ILITA had found that those US organizations certified under the EU-US Safe Harbor provided an adequate level of protection for personal data and, as such, fell under the derogation, provided under Section 2(8)(2) of Israel’s 2001 Privacy Protection Regulations, authorizing data transfers from Israel. However, with the recent CJEU decision in the Schrems case, the position of the ILITA has changed. It has stated that organizations can no longer rely on the aforementioned derogation as the basis for the transfer of personal data between Israel and the United States. The ILITA has advised organizations to assess whether they can legitimize the transfer of personal data between Israel and the United States under one of the other derogations provided in Section 2 of the 2001 Regulations. The ILITA has also advised that it continues to assess the implications of the Schrems decision and that it will publish information and additional clarifications if necessary.
Israel is one of the few counties whose data protection law has been deemed to meet the stringent criteria required under the EU Data Protection Directive 95/46/EC. Under Commission Decision 2011/61/EU, Israel is considered as providing, an adequate level of protection for personal data transferred from the European Union. This adequacy finding ensures that personal data can be transferred from the European Union to Israel, without companies having to rely on other legal methods, such as contractual clauses, to effect the data transfer. It is likely that Israel’s decision to follow the determination in the CJEU ruling invalidating the Safe Harbor Program was prompted by its concern to keep its privileged status vis-à-vis European entities in good standing.
While Israel’s reaction is understandable under the circumstances, it may be a sign that other countries throughout the world that also have the privilege of having been deemed by the European Commission to offer “adequate protection”, countries such as Argentina, Uruguay, Canada or Switzerland, might soon adopt the same approach as Israel. This would isolate further the United States, and create additional pressure for the United States government to modify its course of action and its strategies regarding international commerce
What to do Next?
The activities of US law enforcement agencies remain of great concern to the rest of the world. In its statement, the A29 points out that the question of massive and indiscriminate surveillance is a key element of the CJEU’s analysis. It believes that such surveillance is incompatible with the EU legal framework, and that existing transfer tools are not the solution to this issue.
It is becoming clear that the repeated assertions of the CJEU in its ruling, that personal data when on the US territory is subject to massive surveillance, and that the current legal regime in the United States requires companies to “disregard … without limitation” the prospective rules laid down by the Safe Harbor when they conflict with US national security and public interest are affecting the reasoning of the EEA Data Protection Commissioners and may also be getting traction outside the European Economic Area. The CJEU opinion also points at other deficiencies in the US legal regime, such as a lack of access and correction rights.
The invalidation of the 2000/520 Safe Harbor Decision does not solve these fundamental issues. It is hard to see how data transferred from the EEA to the United States under BCRs or Standard Contractual clauses would not suffer the same fate. The next few months will be very busy and will see extensive activities in the United States, throughout Europe, and probably in other parts of the world. Hopefully the wake-up call provided by the CJEU ruling will pave the way to effective and productive negotiations that find a solution that help revive commerce and exchanges between the affected countries.
In the meantime, US companies must urgently evaluate their situation and take appropriate remedial measures to meet the data protection standards in the countries in which they currently do business. The January 2016 deadline, set by the A29 Working Party, is a very important deadline. US companies should take the time, this Fall, to reshape their crossborder data transfer solutions to address the significant challenges created by the invalidation of the EU-US Safe Harbor, and the associated ramifications such as the Israeli decision.