Legal alert - ECJ blocks EU to US data transfers under the Safe Harbour regime

7 October 2015

The European Court of Justice (ECJ) has ruled overnight (NZT) that transfers of personal data from European Union countries to the United States can no longer be validated under the 'Safe Harbour' regime.

The seemingly mundane decision in Brussels will have an impact on any New Zealand tech companies and other businesses with a footprint or customer base in the EU, many of whom will already be fielding requests from their US service providers to sign up to specific Data Processing contracts or 'Model Clauses'.  Companies like Rackspace, AWS and Salesforce (along with several thousand others) are Safe Harbour signatories, and the ruling essentially re-brands them as "non-compliant" for the purposes of EU Data Protection laws. 

Under those laws, the onus is on the 'data controller' (which will almost always be the customer) to make sure that personal information is collected and used in a legally compliant way, including by ensuring that personal information will be 'adequately' protected when transferred outside the EU.  The most common way of exporting personal information from the EU to the US has, for the last 15 years, been under the Safe Harbour regime, a voluntary scheme operated by the US Federal Trade Commission which audits and certifies members' security and privacy standards.

The ECJ's ruling (thanks largely to Edward Snowden and the NSA) means that Safe Harbour is no longer a valid way of ensuring 'adequacy' - which is why some New Zealand businesses may be receiving emails from US service providers asking them to "urgently" sign up to Model Clauses, a set of standard contractual clauses recognised by the European Commission as a valid means of ensuring 'adequacy'.

However, while Model Clauses do offer a legitimate alternative to Safe Harbour, they aren't necessarily a complete solution - some individual privacy regulators in the EU don't recognise Model Clauses, or require that additional formalities are met (for example, in some EU countries, Model Clauses require additional (bespoke) detail around security measures, and/or need to be registered with the local regulator - a process which can take months).

The ink on the ECJ's decision isn't yet dry, but it's sure to have an impact on the US tech industry generally, and certainly on US/EU business relations.  In the meantime, the situation (and industry response) remains fluid and there may well be further guidance or developments to come from European regulators around what businesses should be doing, and whether Model Clauses are the solution.