On 6 October 2015, the Court of Justice of the European Union (“CJEU”) issued a ruling, in the case of Schrems v Data Protection Commissioner, which undermines the use of the safe harbour scheme (“Safe Harbour”) as a basis for transferring personal data to US companies.
The decision has implications for all EU companies who transfer data to US companies which are Safe Harbour certified, and not simply for those located in Ireland, where the Schrems case originated. The judgment is also hugely significant for the over 4,000 US companies that rely on the Safe Harbour to legitimise transfers of personal data from the EU to the US. This update is the first in a series of guidance notes on this topic and its implications for you and your business.
As discussed in our update last week, the Advocate General in this case gave the opinion that the Safe Harbour was invalid as it did not ensure an adequate level of protection of personal data and allowed individuals no redress where their rights were infringed. The CJEU this morning followed the opinion of the Advocate General and declared Safe Harbour invalid.
This case was referred to the CJEU by the Irish High Court in June 2014 after the Irish Data Protection Commissioner (“DPC”) had refused to investigate the complaint of Austrian student Maximilian Schrems. Mr Schrems had argued that transfers of personal data from Facebook Ireland to Facebook Inc. in the US should be suspended in light of the Edward Snowden revelations concerning the National Security Agency’s PRISM program and the mass surveillance of data in the US. The DPC refused to investigate this complaint on the basis that he was bound by a decision of the European Commission that the Safe Harbour scheme ensured adequate protection of personal data and legitimised transfers to companies signed up to the scheme.
The CJEU in its judgment today held that a European Commission decision regarding the adequacy of schemes such as Safe Harbour does not preclude a national data protection authority from examining transfers of data to ensure compliance with the EU Data Protection Directive and the Charter of Fundamental Rights of the European Union. However, only the CJEU can declare a European Commission decision invalid. Accordingly, following any investigation, a national data protection authority must bring proceedings before the national courts, who may refer the case to the CJEU, if there are doubts as to the validity of the European Commission decision. Disaffected complainants, such as Mr Schrems, may also bring proceedings before national courts where the national data protection authority does not find cause to question the European Commission decision.
More significantly, the CJEU also followed the Advocate General’s opinion in declaring that Safe Harbour was invalid. The CJEU held that the interference by US authorities with the fundamental rights of individuals is not limited to what is strictly necessary, as US law authorises the mass surveillance of personal data without limitation or differentiation on the basis of the objective pursued. This, the CJEU stated, compromised the essence of the right to protection of personal data and as such was a disproportionate interference. The lack of effective judicial protection or the possibility for an individual to pursue legal remedies also compromised fundamental rights and the rule of law.
The invalidity of the Safe Harbour will not result in an immediate halt to all transfers of personal data from the EU to the US, as the EU Directive provides for other exemptions to the general prohibition on transfers outside the European Economic Area (the “EEA”). For US companies which are Safe Harbour certified, and for Irish and EU companies which transfer personal data to US companies which are Safe Harbour certified, immediate consideration should be given to implementation of an alternative solution to Safe Harbour based on these exemptions.
It is possible to transfer personal data from Ireland (and other EU member states) to companies in US and other non-EEA jurisdictions through the use of European Commission approved model clauses (also known as the standard contractual clauses), and through the use of intra-group binding corporate rules. The measures which Safe Harbour certified companies have implemented in practice in complying with Safe Harbour regime will continue to be relevant under either solution, or indeed if one of the more restrictive exemptions applies.
The model clauses are in pre-approved form, they do not require the pre-approval of the DPC, and can be implemented with relative ease. Binding corporate rules, which apply on an intra-group basis only, require approval from one of the EU data protection authorities (with the relevant authority being determined by reference to a number of factors, such as the location of the European headquarters of the group) and therefore take longer to implement.
Both the model clauses and binding corporate rules give the data subject the right to take direct action to enforce them. Given that a key consideration of the CJEU appears to have been the lack of an effective right for data subjects to be heard on the question of surveillance and interception of their data, this is an important feature of the model clauses and binding corporate rules.
There are a number of other exemptions to the prohibition on data transfer, including data subject consent and where the transfer is necessary for the purposes of a contract with the data subject. However, it can be difficult to justify transfers on the basis of these exemptions where the transfer is systematic and where there is no genuine ability for a data subject to object to the transfer. Therefore, the safest options for any data controller within the EU which wishes to transfer data on a systematic basis to non-EEA jurisdictions, including the US (and irrespective of whether that transfer is to a parent company or to a service provider), is to use the model clauses and / or binding corporate rules.
The European Commission, in a press release following the ruling, identified the continuation of transatlantic data flows as crucial to the European economy and as one of its top priorities. In this regard, the European Commission has stated that it will work closely with national data protection authorities and will issue clear guidance on dealing with data transfer requests to the US following the ruling.
A number of different initiatives at EU and US level are seeking to redress the balance between national and international security on the one hand, and individual freedoms on the other, as well as to address the perceived and actual shortcomings of Safe Harbour, in order to facilitate the continued transatlantic flow of data which is critical to business.
In June of this year, the USA Freedom Act was passed in the US to strengthen privacy rights and curtail data surveillance by requiring a ‘specific selection term’ to be used as the basis for the production of certain telephone call related records. The Act also enhances individual rights by permitting Foreign Intelligence Surveillance Act courts to appoint advocates to advance arguments on protection of privacy and civil liberties.
The EU Commission and the US have also recently finalised negotiations on data protection standards for transatlantic law enforcement cooperation. The resulting Umbrella Agreement guarantees strong data protection rules for personal data shared with US authorities for the purposes of law enforcement, including limitations on data use, retention periods and onward transfer and rights to access and rectify data and to be notified in the event of a data security breach.
A condition of the Umbrella Agreement was that all EU citizens would be guaranteed a right to enforce their rights in US courts, which will take effect in the Judicial Redress Bill which extends the civil remedies available under the US Privacy Act of 1974 to EU citizens. This Bill will go some way to addressing concerns identified in the CJEU judgment that the lack of judicial oversight and effective redress for EU citizens were fatal to the validity of the Safe Harbour scheme.
Meanwhile, the EU and the US have been in discussions for some time on a new version of Safe Harbour, which had already been the subject of criticism following the Snowden revelations. The revised rules promise to deal with many of the concerns that have been raised by national data protection authorities about Safe Harbour and it is expected that EU / US agreement on this improved version of Safe Harbour is imminent.
Pending the conclusion of these negotiations, however, multinationals and companies sharing personal data cross-border must seek an alternative basis to legitimise transfers of personal data to the US. As discussed above, the principal options available are the model clauses or, in the case of intra-group transfers, binding corporate rules.