As has been well reported, earlier today the Court of Justice of the European Union (“CJEU”) handed down its long awaited judgment in Schrems v. Data Protection Commissioner (C-362/14).
The Court found that the Safe Harbor system facilitating the export of personal data from the EU to the USA is ‘invalid’. But what does this mean for international business, and what are the next steps?
1. The judgment is less restrictive for businesses than the AG’s opinion
The judgment doesn’t go quite as far as the Advocate General Bot’s Opinion of 23 September 2015, which, as we flagged in our previous post, went so far as to suggest that EU Commission Decisions approving international data transfers were not binding on national data protection authorities (“DPAs”). As we previously noted, the AG’s position was quite problematic from the perspective of legal certainty and inconsistent with basic principles of EU law. The fact that the Court has not followed this aspect of the AG’s Opinion is to be welcomed.
2. Businesses that rely on Safe Harbor need to look at alternative ways of transferring personal data to the US
It is very important to note that this ruling does not prohibit or restrict transfers of personal data from European to the US. The judgment simply finds that Safe Harbor – just one of a number of different legal processes that could be used to lawfully move data from Europe to the US – is invalid. There are a number of alternative approaches that can still be used.
In particular, personal data can still be transferred to the US where the underlying individuals have given their consent to such transfer or where EU Commission-approved Standard Contractual Clauses (“SCCs”) – a special type of data processing agreement - are in place. However, paragraph 92 of today’s CJEU judgment states that ‘derogations and limitations in relation to the protection of personal data’ should apply ‘only in so far as is strictly necessary’.
This means that user consent and SCCs still allow for the transfer of data. However, as derogations, these options need to be used with care and are likely to be scrutinised by national DPAs and Courts.
Another potential option would be the adoption of “Binding Corporate Rules” a complex arrangement whereby an international corporate group agrees detailed data sharing protocols that are reviewed and agreed by various DPAs. BCRs are quite a complex, time consuming and often costly route to compliance, and are not suitable for most companies.
3. Only the CJEU can review EU rules designed to facilitate international data transfers
Importantly, the CJEU has reiterated that it - and it alone - is the only body empowered and entitled to review the validity of Commission Decisions. The AG’s Opinion suggested that national data protection authorities are empowered to review the validity of Commission Decisions. The CJEU has categorically ruled that this is not the case.
In other words, national DPAs remain bound to follow EU Commission Decisions permitting international data transfers - such as the Decisions approving SCCs - even if the DPAs disagree with them. Any issues about the legality of such decisions need to be decided by the CJEU.
4. Safe Harbor 2.0 is possible
The AG’s Opinion set out an extensive (and likely unworkable) list of requirements for a new Safe Harbor deal. The judgment is more limited in its scope.
Indeed, the CJEU appears to have left the door open for some sort of Safe Harbor 2.0 proposal if new arrangements can be agreed with the US. The Court appears to envisage a situation where the EU Commission may issue a new Safe Harbor-style Decision. Such a Decision may allow for the transfer of personal data to the US, but with more robust security and transfer protocols than the current regime. It is clear, however, that any such Decision would need to provide EU residents with greater rights of recourse in the US courts than is currently the case. It is less than clear how flexible the US will be in its discussions with the Commission in this respect.
5. The decision is most problematic for EU based data processors
Due to a gap in EU legislation, EU based data processors cannot clearly rely on SCCs to justify data export. As a result, transfers to US sub-processors were – traditionally - justified by reference to Safe Harbor.
Obviously, this is no longer an option.
As a result, this judgment may have the biggest impact upon EU based data processors, such as cloud storage companies, that would typically host some or all of their data in the US. In such cases, it may be necessary to ensure that the underlying individuals have consented to the transfer of their personal data to the US. This may not always be easy to achieve, particularly if the processor has no direct contractual relationship with the underlying individuals.