Maximillian Schrems v Data Protection Commissioner [06.10.15]

On 6 October 2015, the European Court of Justice (ECJ) ruled that the Safe Harbour Agreement, allowing transfers of personal data between the EU and the US, is invalid.

Background 

Facebook subscribers in the EU enter into a contract with Facebook Ireland who transfer users’ personal data to servers in the US. Following Edward Snowden’s revelations about mass surveillance of personal data by US intelligence authorities, Schrems, an Austrian citizen, asked the Irish Data Protection Commissioner (DPC) to investigate whether Facebook’s data transfer policies offered adequate protection. 

The EU Data Protection Directive only permits the transfer of data outside the EU if adequate protection is ensured. The European Commission decision 2000/520/EC (the “Safe Harbour Decision”), provided that personal data could be transferred to the US by EU based US companies who self-certified that they had complied with a number of principles. Schrems’ complaint was initially rejected by the DPC, who considered that it was bound by the Safe Harbour Decision. 

Schrems challenged the decision. The Irish High Court found that although surveillance of personal data by US authorities was in the public interest, there was significant overreaching by a number of those agencies. The ECJ’s preliminary ruling was requested on the question whether the DPC was bound by the Safe Harbour Decision. 

Decision 

The ECJ found that:

  1. A Commission decision on what amounts to “adequate protection” offered by a non-EU Member State, does not prevent the Data Protection Authority of a member state investigating complaints brought to them by data subjects.
  2. Whilst Data Protection Authorities do not have the power to invalidate a Commission decision, they can refer questions of validity to the ECJ, who has the authority to declare such decisions invalid.
  3. European Commission decision 2000/520/EC is invalid. It does not provide “adequate protection” as it allows data to be shared for national security purposes, despite the agencies with whom data is shared falling outside the Safe Harbour scheme. The decision effectively operated as a blanket binding decision, thereby preventing data protection authorities undertaking their investigations into data transfers freely and impartially.

Comment 

The decision will affect thousands of Safe Harbour certified companies across all sectors who rely on the ability to transfer data between the EU and US, either internally or in their service chain. It will also affect those who believe that they can lawfully trade and disclose personal data to such companies. Companies must now employ alternative methods of data transfer, including obtaining individual consent or adopting EU Model Clauses, which may be burdensome. 

The use of Cloud services has historically been underpinned by Safe Harbour. However, following the ECJ decision and the resultant administrative burden of using US providers, EU based cloud providers may become increasingly attractive to businesses in the EU. 

Knock-on effect? 

The Safe Harbour Decision is currently being considered in the ongoing dispute between Microsoft and the US Government. In brief, the US Government has issued a warrant to recover customer data in a drug investigation, which is stored on Microsoft’s server in Ireland. The Government argues that Microsoft is covered by US legislation, whilst Microsoft says that the data is covered by European data privacy laws. If the US Government’s interpretation is upheld, it will be able to demand access to data stored on the servers of US firms anywhere in the world. Understandably, this may make businesses even more wary of dealing with US cloud providers, as such a decision would essentially mean that the US government is able to demand access to data, simply because there is a US provider in the supply chain.