US DOJ Safe Harbor Program Struck Down By ECJ

29th October 2015 by

On 6 October 2015, the European Court of Justice in a landmark ruling declared the European Commission’s US Safe Harbor decision to be invalid. This decision has the effect of striking down the Department of Commerce Program agreed with the EU that allows US companies to receive personal information from the EU by agreeing to be bound by certain data protection principles. This could have a significant impact on the way gaming companies transfer data from the EEA to the US.


The EU Data Protection Directive 1998, implemented throughout the EU in national legislation, requires that personal data may not, as a general rule, be transmitted outside the European Economic Area (which includes the EU Member States together with Iceland, Liechtenstein and Norway), unless it is to a country that has adequate data protection laws.  To date, the Commission has only found a small number of countries have adequate data protection laws, namely Argentina, Canada, Guernsey, Isle of Man, Switzerland and Jersey. The US is notably not among them, having piecemeal privacy legislation for different sectors, but no equivalent overarching data protection legislation similar to the EU. The US is a massive importer of personal data and may account for as high as 50% of trans-border personal data transfers globally.


To find a practical means to deal with the US data transfer issued, the Commission back in 2000 through a decision, agreed the” Safe Harbor “program with the US Department of Commerce. The scheme creates a voluntary mechanism enabling US organisations to qualify as offering adequate protection for personal data transferred to them from the EU and is recognised by the Commission as providing adequate protection for the transfer or personal data under the terms of the Directive.  Currently there are over 5,000 US companies registered by the program. Large multinational companies such as Facebook and Google are participants in the program as are some US gaming companies. A full list of companies that have been participating in the Safe Harbor regime can be found on the US Department of Commerce website.


The challenge arose from an Austrian privacy activist, Maximillian Schrems, who brought suit in Irish courts, on the basis that Facebook transferred his personal data to servers in Ireland to the US. He claimed that irrespective of the Safe Harbor program, US data protection was inadequate, in particular  in light of the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services, and in particular the  US National Security Authority, the law and practice of the US do not offer sufficient protection against surveillance by public authorities of the data transferred to that country.

The European Court of Justice supported his claim and struck down the Commission decision as invalid and that the Commission did not have the competence to restrict national data protection authorities from reviewing data transfers outside the EU. The court did not provide any transitional period for companies to adapt so technically thousands of companies are now non-compliant with EU data protection rules. These include both US multinationals transferring data between group companies and their US parents and companies in the US and their EU based customers.


This ruling will affect both land based and online gaming and betting companies wishing to transfer personal data about its employees, customers and suppliers from the EEA to the US. Until the EU and US agree a successor program that is compatible with EU data protection law, in the interim a large number of companies are left in the lurch.

The Information Commissioner’s Office in the UK (“ICO”) has released a statement following the ruling addressing the difficult interim problem. They noted,  “the judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do so…. We will now be considering the judgment in detail, working with our counterpart data protection authorities in other EU member states and issuing further guidance for businesses on options open to them.” ICO also noted that negotiations have been going on for some time between the European Commission and the EU to replace the Safe Harbor program with a new more privacy protective arrangement.  So it appears the ICO understands that this will take some time and accordingly it would follow that immediate enforcement action would not be taken against companies that are suddenly non-compliant. Hopefully other EEA Member State data protection regulators are equally understanding.

One of the troubling parts of the judgment is that the decision was largely based on the ability of US intelligence agencies such as the National Security Agency to view personal information transmitted to the US. It is unlikely that US security agencies will ever defer to EU privacy legislation over perceived national security needs. How will this be reconciled in Safe Harbor 2 program?  Data subjects in the EEA may need to be made aware that their personal information may be subject to scrutiny by US security agencies and specifically consent to this.


The most obvious and cleanest alternative for compliance is not to transfer personal data outside the EEA and to install and maintain servers for information storing personal data about EEA residents within the boundaries of the EEA. This unfortunately is not a practical solution for many companies that need to centralise functions requiring collection storage and use of EEA customer, supplier and employee data in the US.

There are other means approved by the EU for transmission of personal data internationally. One of these is known as “binding corporate rules.” With this scheme, companies within a group of companies can agree to transfer personal data within the group only under certain rules compatible with EU data protection legislation. The binding corporate rules must be approved by the information commissioner in the EEA country of transmission. The use of binding corporate rules only applies to use intra-company, so does not solve the problem of transmission of data between a customer in the EEA and supplier in the US.

Another alternative is the use of “model clauses “in contracts between persons or companies sending data from in the EEA and the companies or persons receiving them in the US. The EU has pre-approved a certain template for use in contracts that it considers provides adequate protection.

A third alternative is to obtain express consent from the data subject to the cross border transmission of his or her data for a specific use or uses of the US recipient.

The model clauses and express consent options may be impractical where transmissions are done on a large volume scale such as between consumers in the EEA and a supplier in the US. Also the model clauses and any express consent may now need to make clear that the consent may need to specifically make reference to access by US authorities.


As a result, US companies will need to urgently assess their data protection programs to find another means to comply.  There is no transition period for the decision invalidating the Safe Harbor program and there is no certainty about enforcement action that may be taken in the interim period. There will likely be a solution reached between the Commission and the US, but this won’t likely be concluded any time soon.

Contact  David Schollenberger, Partner and Head of IT/IP at Healys LLP for more information and advice.  e: