On October 6, 2015, the European Court of Justice (ECJ) issued its much-anticipated decision in Schrems v. Data Protection Commissioner, Case C-362/14. The case considered the viability of the U.S.-EU Safe Harbor Framework, which has been applied to permit U.S. companies to transfer personal data regarding their employees and customers from the European Union (EU) to the United States in compliance with EU data protection requirements. The ECJ invalidated the European Commission’s earlier decision holding that the Safe Harbor principles provide adequate protection for personal data transferred from the EU to the United States.
What Happened In This Case?
The case involves a legal challenge that Austrian national Maximilian Schrems brought against Facebook, Inc. for transferring personal data from the European Union to the United States under the Safe Harbor Framework. Schrems, who subscribed to Facebook in 2008, signed a contract with Facebook Ireland—a subsidiary of Facebook, Inc.—as do all Facebook subscribers residing in the European Union. As Schrems's agreement was with Facebook Ireland, he filed his complaint with the Irish Data Protection Commissioner and the Irish court.
The Irish authority rejected his complaint on the ground that European Commission Decision 2000/520/EC, issued on July 26, 2000, held that the United States ensures an adequate level of protection of the personal data transferred from the EU to the United States for companies that self-certified under the U.S.-EU Safe Harbor principles.
Schrems then brought an action before the High Court of Ireland challenging EC Decision 2000/520. Although the Court expressed doubts regarding the validity of EC Decision 2000/520, it stayed the proceedings and requested that the ECJ examine the question of whether the Irish Data Protection Commissioner was bound to follow EC Decision 2000/520 or whether it should conduct its own investigation into the adequacy of data privacy protections provided by the Safe Harbor principles.
On September 23, 2015, the ECJ Advocate General, Yves Bot, issued a non-binding opinion recommending that the ECJ invalidate the Safe Harbor Framework. A main factor in that opinion was Edward Snowden’s revelation that personal data transferred from the European Union to the United States under the Safe Harbor Framework had been accessed by the United States’ National Security Agency under the PRISM program.
On October 6, 2015, the ECJ did not go quite as far as the Advocate General but did hold that European Commission Decision 2000/520 is invalid and that data protection authorities in each EU member state have the authority to rule whether the Safe Harbor principles provide adequate protection for the transfer of personal data of their citizens to the United States.
What Does the Decision Mean?
The ECJ decision means that companies transferring personal data from the EU to the United States can no longer rely on the presumption that the Safe Harbor principles provide adequate protections. Accordingly, any transfer of personal data to the United States under these principles may be subject to complaints by employees and customers, investigations by individual data protection authorities, and possible enforcement actions and penalties.
Additionally, it is likely that several EU regulators may suspend personal data transfers based on the Safe Harbor principles, especially in Germany and other countries where Safe Harbor has been regarded with suspicion.
Consequently, companies that currently rely solely on the Safe Harbor principles to transfer personal data will need to find other legal means to transfer personal data. These other means may include binding corporate rules that permit intra-company transfers, model contract clauses adopted by the European Commission, and consents of data subjects. These alternate methods, however, sometimes can be costly, time consuming, and difficult to achieve.
Further, given the heightened scrutiny in which data protection authorities now will engage regarding data transfers, companies must ensure that their privacy practices and procedures actually comply with the requirements of EU data protection laws when they implement alternate transfer methods.
What Should You Do?
There are many nuances to the ECJ’s decision in Schrems v. Data Protection Commissioner, invalidating the European Commission decision that had established the Safe Harbor principles for personal data transfers between the E.U. and the U.S.