data protection - Safe Harbour Scheme

The Not So Safe – ‘Safe Harbour Scheme’

More than a month after the ‘Schrems – v – Facebook’ (2015) judgment of the Court of Justice of the European Union (CJEU)...

Sharing is caring!

Over a month after the ‘Schrems vs. Facebook’ case, the EU Court of Justice declared the Safe Harbour Scheme Agreement invalid. The transfer of personal data from the EU to the USA is still not being adequately protected.

Some background

Back in 2000, a Safe Harbour Scheme was established in order to enable the safe transfer of data from the EU to the US. EU privacy laws have restricted the transfer of inadequately protected personal data outside the EU.

The programme represents a self-regulatory scheme created by the European Commission and the US Department of Commerce. It was designed to overcome the existing restrictions and provide adequate protection when data is being transferred from the EU to the US.

The result of the ‘Schrems vs. Facebook’ case changed the whole scenario in the “safety” net. They concluded the Safe Harbour Scheme doesn’t give adequate data protection. The decision lead to chaos and opened a legal Pandora’s Box. So some of the logical questions that followed were:

  • What’s next?
  • How do we protect ourselves?
  • How is that decision being applied to other Safe Harbour Schemes?
  • What is the CJEU doing?

Luckily there are a few alternatives that currently limit access through the legal abyss created by the Safe Harbour Scheme’s shortcomings. Businesses are able to use these as a short-term fix but they aren’t guaranteed and they certainly aren’t a solution.

Here are some of the alternatives:

The EU module clauses contract

Quite simply, this incorporates all the rules that need following to have adequate data transfer protection. For increased safety, it’s preferable those clauses remain just as suggested, so it provides good protection guidance. However, the clause contract doesn’t guarantee 100% protection, nor can it stop US authorities bypassing these constraints.

Unfortunately, US law is different to European law and the difference is profound. US laws allow for the large-scale collection of personal data without effective judicial control. To add insult to injury, the US public authorities aren’t subject to the Safe Harbour Scheme.

Mutual Agreement

If the concerned parties wish so, they can sign a mutual agreement which will cover the “safe” data transfer. This again gives EU companies slightly better protection than the alternative of none. It’s highly risky though, as either party could miss something important, which could result in long-term damage.

Binding Corporate Rules (BCR) Scheme 

Another option is the BCR scheme. It offers a safe area that enables multiple transfers within group companies, which are utilizing the recognition system. This is highly likely to be implemented in the new EU Regulation next year. But in the meantime, a guidance of use for Model Clause and Binding Corporate Rules has been issued.

The statement emphasises the unlawful nature of the Safe Harbour Scheme: “If by the end of January 2016, no appropriate solution is found … EU data protection authorities are committed to taking all necessary and appropriate actions.” Or in other words, there’s a deadline for finding a solution to the Safe Harbour Scheme problem.


The consequences for EU to US data transfer are as follows:

  • If your business transfers EU personal data to a US company using Safe Harbour, you will need to consider adopting alternative solutions immediately. These may include, for example, the Model Clauses or BCRs.
  • If your company transfers data using the Model Clauses or BCRs, these mechanisms may also have the same concerns that caused the CJEU to invalidate the Safe Harbour program. However, for the time being, the WP29 Statement mitigates the compliance risks from relying on these measures.
  • Businesses should take stock of their data protection and transfer practices in order to ensure that they conform. Also, they should consider ways of addressing compliance risks if the January 2016 deadline for concluding the Safe Harbour negotiations is not met.

Global Perspective on the Safe Harbour Scheme

The next question to consider, is what about the Safe Harbour Scheme (Canada)? How is that affected by the recent court decision? At the moment the Canadian Scheme is still deemed to be valid. But of course, the same questions have aroused as in the Schrems’ case. It’s a matter of time until this Scheme will be deemed as no longer an adequate protection provider. The EU commission is working on a piece of legislation that will hopefully be applied to all other Schemes too.

If we look at Israel, their laws prohibit the transfer of personal data without adequate protection. Now after the 6th October decision, they’re also facing the same problem as all the EU countries. They also refer to EU Model Clauses, but this isn’t adequate protection. According to Israeli Law, companies should consider other alternatives such as strong encryption, change of server location and individual consents.


If we look at this issue from a global perspective, it’s easy to see how widespread the effects are. All businesses involved are being forced to fall back on a plan B. this won’t be sustainable in the long-term. Everyone is doing their best in this time of instability to rely on good faith and good business practice between partners. But they’re also waiting to hear some good news in January 2016. The hope is that by then, a new unified decision will be implemented and held valid for all those affected.

Sharing is caring!

Posted by simonholliday