News October 2015: Invalid « Safe Harbor »: what should be done about current contracts with US companies?


The decision of the Court of justice of the European Union (CJEU) dated October 6, 2015[1] invalidates the certification « Safe Harbor » which ruled, since 2010, the transfer of personal data belonging to European citizens to the United States. This self-declaration system, deemed to be a « trust mark », has been criticized by supporters of personal data protection in Europe, which critics have been even more violent further to the public disclosure by the whistleblower Edward Snowden of massive interception and espionage practices by the National Security Agency (NSA).

The decision of October 6, 2015 results from the judicial action introduced by an Austrian Facebook user, Maximillian Schrems, who filed a petition before the Irish Data Protection Authority and then lodged an action before the Irish High Court against Facebook subsidiary entrusted with the transfer of Facebook  European users ‘ personal data outside the European Union.

As per its decision dated October 6, 2015, the CJEU considers that the Safe Harbor self-certification system is not valid anymore pursuant to European standards of personal data transfer set forth in Regulation 95/46/CE of October 24, 1995 (the “Regulation”). Consequently, this decision reverses the presumption of “adequate level of protection” inferred by the adhesion to the Safe Harbor.

Therefore, this decision leaves a substantial legal vacuum which is detrimental to contracts in force between European nationals (either individuals or legal entities) and American service providers: hosting providers or cloud operators, for personal use (such as Google or Facebook) or for professional use (IBM, Microsoft, Oracle…).

Do we have to consider that, since October 6, 2015, all transfers of European citizens personal data to the United States are illegal?

As per its press release dated October 16, the working group G29[2] , after the emergency meeting following the decision dated October 6, decided to grant the European Commission and the United States government with a 3 month notice to find a satisfactory intergovernmental agreement to replace the Safe Harbor and remedy the failures of the initial text.

If no political agreement is found on January 31, 2016 at the latest, national authorities for the protection of personal data in Europe will reserve the right to sue companies that would proceed to illegal personal data transfers without setting up contractual measures in line with European standards.

While waiting for the conclusion of the new “Safe Harbor 2” which negotiation will be most difficult considering the resistances of the American administration and which will be – due to its diplomatic nature – less protective than the European standards, European companies do have a unique opportunity to try to renegotiate, on an open market basis, with American hosting providers, contractual provisions in line with European standards for the protection of personal data.

Why is it important for European companies to (re)negotiate?

The legal safety of personal data was not, until recently, crucial for companies entrusting the hosting of the personal data (of their employees, prospects or clients for instance) to data centers. The technical safety only was central. Companies had no interest in the legal safety of the data transfer since the “trust mark” of the Safe Harbor was in place. The fact that the Safe Harbor has been invalidated reminds to anyone that, from a legal standpoint, data safety (ie. their availability, completeness and confidentiality) is as much crucial as technical safety.

It is now obvious that Safe Harbor is helpless to protect European citizens against « massive and undifferentiated surveillance »[3] of personal data by the NSA which is entitled to do so pursuant to legal texts such as the US Patriot Act and the FISA[4] (that have applied after the Safe Harbor).

As a reminder, both texts (the first one relating to the fight against terrorism and the other one enabling the collection, even more massive, of any information related to foreign intelligence) require from American companies and all their subsidiaries around the world and from servers hosted in the United States – whatever the nationality of companies that are behind them – to give the American security services access to the personal data they host or operate, even if those data relate to non-American citizens which cannot be informed of the use of their data.

In other words and in practice, when a French company uses – for the hosting of its employees, prospects or clients personal data – a data center of an American company or its subsidiary in Europe or a European company having a server in the US, nothing can prevent the US security services to have full access to the hosted personal data.

Consequently and since October 6, 2015, a French company which is the data controller (as it defines the collection and data processing of its employees, prospects or clients for instance) infringes data protection European rules[5]  and becomes directly liable towards individuals and the CNIL, if it uses a service provider submitted to American laws.

As a reminder, in case of prohibited data transfer due to the fact that the destination country does not warrant an “adequate level of protection” (which is the case of the United States since October 6, 2015), the clients which are data controllers pursuant to the law, can be punished by a 5 years prison penalty and a euros 300,000 fine[6] (fine that can be increased up to 1,500,000 euros if the legal entity is to be regarded as criminally liable – article 226-24 of the French criminal code). Even if those penalties are not likely to be enforced before January 31, 2016, they are dissuasive enough to draw the attention of European companies on what is at stake.

There is now a major conflict between the obligation for the data controller (ie. any European company which has entrusted an American SaaS provider or its subsidiary with a data processing to) to comply with European rules and the obligation for such IT service provider to comply with the legal requirements under the US Patriot Act and/or the FISA.

One or the other contractual partner is necessarily in breach of the rules he has to comply with.

Why is the right time to (re)negotiate?

The Safe Harbor regarded as a “trust mark” until now has given the cloud market the opportunity to emerge and grow in Europe, thanks to American cloud computing operators which technological advance in terms of collection, hosting and processing was indisputable.

During fifteen years, 4.000 American companies have been entrusted with the collection and personal data processing of French citizens.

The « data centers » and « cloud computing » market is, in general, for the world economy and the actors operating in this sector, already huge and is not even mature yet.

The cancellation of the Safe Harbor, by making European and French companies aware of the risks, notably, in financial terms and in terms of image, linked to the infringement of European rules will probably slow down the conclusion of IT contracts between European clients and American service providers or their subsidiaries.

On the contrary, this benefits to the European cloud operators (« sovereign clouds ») which de facto ensure (provided that they are European companies not governed by American law and that they do not use servers in the US) that the European data protection rules are complied with and consequently warrant that their clients (data controllers) will not be suited.

The end of the Safe Harbor gives a substantial competitive advantage to IT European service providers with the opportunity to change drastically the data hosting market in favor of providers that are located in Europe and that are governed by a law of a Member State. 

The ambitions of some of the cloud computing European actors (among which in France: SFR, Orange, Atos, Capgemini, Dassault and Thalès) have been encouraged by the CJEU, some of them publicly stating that their services do protect the clients against the « extraterritorial » effects of the FISA and the US Patriot Act. 

The opportunity is also given to European clients to renegotiate with American providers the adhesion contracts entered into a few years ago.

Since the contractual compliance warranty “Safe Harbor” is no valid anymore,  the clients could claim, subject to what is provided for in the contract, a “breach of warranty” to terminate, without indemnification, the contracts in force; which could, at a large scale, seriously jeopardize the position of American giants and their subsidiaries in Europe.

The risk of return of personal data to European clouding operators or actors such as Microsoft, which claims to be the only cloud services provider supported by working group G29, is much real[7].

It is an exclusive opportunity to use this leverage to try to obtain contractual provisions more in line with European standards, taking for granted that the future intergovernmental agreement – which will result from diplomatic compromises – shall not be as protective of European citizens interests as the Regulation itself.

What should be (re)negotiated?

Apart from an express authorization from the Data Protection Authority (CNIL in France), two types of provisions may partially fill the legal gap resulting from the Safe Harbor invalidation:

The « standard contractual clauses » meant to rule the relationships between professionals have been drafted by G29 working group and are available through the following weblink

or the « BCR » (Binding Corporate Rules) which allow the data transfer from a subsidiary to another subsidiary, outside the European Union within the context of B to C business. However BCR are « intragroup » policies which cannot, unless expressly accepted, be enforceable to external service providers.

In its press release dated October 16, Group G29 underlines that « BCR » and « standard contractual clauses » are currently being examined in order to check whether they are still compliant with the European requirements of an « adequate protection level » for the data transfer outside EU.

However, G29 also confirms that, during the three months granted to find a new intergovernmental agreement, those contractual tools can and even must be used by contractual partners; even though the national Data Protection Authorities reserve the right – as CJEU invited them to do in its decision dated October 6 – to check the validity of some transfers following complaints that could be filed. 

Ideally and for any (re)negotiation, by mutual agreement, with an IT service provider or its European subsidiary, French and European clients should require notably, as regards the data transfer, the following conditions and guarantees: hosting place for data within the European Union, obligation to have exclusively in the chain of service providers European companies that are not subject to American laws, the warranty that that any sub-contractor is contractually bound by the same obligations as those provided for in the main contract, the compliance with standard contractual clauses of G29, an automatic termination clause applying in case the personal data transfer to American authorities or to non-expressly authorized third-parties could be proven or, more generally, in case of breach of the Regulation or the French law “Informatique et Libertés” etc….

The shock wave resulting from the invalidation of Safe Harbor will probably, on a long-term basis, lead to an intergovernmental agreement more protective of European personal data than the Safe Harbor. However, the protection of personal data transfer will probably even more better ensured within a renegotiation process, on an open market basis, with American service providers that will nevertheless not be able to escape from the implementation of American public order rules.

The more the European companies, and notably the French ones, will start discussions in this direction with American companies, the better their claims will be addressed by the service providers which take the risk, in case of a refusal, to cause a massive and systematic deportation of their European clients towards their European competitors.  

Eventually, perhaps even before the entry into force of a Safe Harbor 2, the invalidation of Safe Harbor will have, in practice and because of the commercial interests at stake, contributed to improve the contracts with IT service provider, by duplicating standard contractual clauses… (one must however keep in mind that, in any case, American companies will remain subject to compulsory rules of American public order).

As for now, the October 6 decision has not moved that much the lines nor the American Internet giants, some of them still claiming their adhesion to the Safe Harbor which is now declared invalid….

The Irish Data Protection Authority will finally – as the Data Protection Commissioner indicated on October 20 – instruct the petition filed by Maximillian Schrems against Facebook. No doubt that this decision will be most interesting as for the first time a Data Protection Authority will carefully examine Facebook personal data transfer policy outside the European Union, without the protection of the Safe Harbor shield.

What is at stake is not insignificant: it simply deals with the prohibition of the transfer of personal data belonging to European users of Facebook to the United States.

by Sarah Temple-Boyer

[1] CJUE 6 octobre 2015, Thierry Maximilliam Schrems c/ Data Protection Commissionner, C-362/14

[2] Working group composed of 29 national personal data authority of the Member States of the European Union.

[3] So said Working group G 29 in its press release dated October 16

[4] Foreign Intelligence Surveillance Act

[5] Pursuant to European Regulation 95/46 CE dated October 24, 1995, the data processing systems must serve the Man and shall comply – whatever the nationality or domicile of the individuals – with freedom and fundamental rights of persons, in particular private life.  

[6] Article 226-22-1 of the French Criminal Code : «To the exclusion of the cases provided by law, the transfer of personal data destined to be processed in a country located outside the European Union which infringes the European Commission or the National data Protection Authority measures such as referred to in article 70 of law n° 78-17 du 6 janvier 1978 précitée  is punished by a 5 years prison penalty and a 300,000 euros fine ».

[7] Extract of Microsoft contractual conditions: “Our approach to privacy and data protection in our cloud services is built on a commitment to empower organizations to control the collection, use, and distribution of their information. By providing this functionality and implementing strong operational protection practices, Microsoft can make compliance commitments to our customers in the form of certifications, attestations, and contractual agreements. Microsoft was one of the first organizations to sign European Model Clauses, documenting our commitments to protect the data of our customers who do business in E.U. countries. Commitments to the E.U. Model Clauses, along with standards like the Generally Accepted Privacy Practices (GAPP) and the Fair Information Practice Principles (FIPPs) guided the creation of Microsoft’s own privacy principles used to manage customer and partner information.

EU Model Clauses. The European Union’s 28 data protection authorities, acting through their “Article 29 Working Party,” have determined that the contractual privacy protections Microsoft offers to its enterprise cloud customers meet the current existing EU standards for international transfers of data. Microsoft is the first and only cloud provider to receive this type of approval. Europe’s privacy regulators have said, in effect, that personal data stored in Microsoft’s enterprise cloud is subject to Europe’s rigorous privacy standards no matter where that data is located. This recognition applies to Microsoft’s enterprise cloud services – in particular, Microsoft Azure, Office 365, Microsoft Dynamics CRM and Microsoft Intune”