The end of the Safe Harbor Agreement: What do German-American firms do now?

The European Court of Justice recently declared the principles of the "Safe Harbor Agreement" to be invalid (European Court of Justice decision in case C-362/14, Maximillian Schrems V. Data Protection Commissioner). The decision has reversed the most important legal basis for exporting personal data from the EU to the US. What exactly do companies need to bear in mind now?

The Safe Harbor Agreement was a decision made by the European Commission in 2000 regarding data privacy law, which simplified the transfer of personal data considerably. It was referred to as an "agreement" as the decision had been arranged with the US at the time.

In the aforementioned case, the original cause was a dispute between an Austrian man and the Irish data protection authority involving Facebook. Just like all other Facebook users residing in the EU, data from the Irish subsidiary of Facebook was being transmitted in part or in full to servers located in the US, where it was being processed. The plaintiff was of the opinion that the laws and practices in the US did not adequately protect the data transmitted to that country from the monitoring activities being performed by government authorities.

But what should companies do now?

The decision could have far-reaching consequences, even for German companies. For example, companies based out of the EU with holding companies in the US that wish to transmit personal data to said companies (e.g., information on pension funds or salaries) or that plan to commission data processing in the US, are now supposed to reevaluate how they "export data." The more general justification, that the data receiving company in question followed the EU's level of data protection and had expressed such to the US Department of Commerce in a corresponding listing, is no longer sufficient.

Alternatively, companies may be able to claim a legal exception to the German Data Protection Act by obtaining the express consent of the party in question, by using so-called standard EU contract clauses or even by applying so-called "binding corporate rules" that would allow them to continue exporting data to the US. However, all of these instruments have their own unique features, which must be given adequate consideration before they are employed. For example, the number of legal exceptions is extremely small, while the requirements necessary to render consent legally valid are vast in number.

For more information on this topic, or to learn how Baker Tilly international specialists can help,