The Court of Justice of the European Union (“CJEU”) publishes its ruling (the “Ruling”) on Maximillian Schrems v Data Protection Commissioner (the “Case”)
The Ruling in summary
This morning (6 October 2015) the CJEU published its Ruling on the Case, declaring the decision by the European Commission (the “Commission”) on the adequacy of US Safe Harbor, to be invalid.
This Ruling follows less than two weeks after publication of Advocate General (“AG”) Bot’s opinion (the “Opinion”) on the Case (please see our briefing here) and it largely follows the findings of the Opinion:
- With huge implications in the privacy world, the CJEU has ruled that the adequacy decision of the Commission (2000/520/EC of 26 July 2000 – the “SH Decision”) which established Safe Harbor, to be invalid. This is on the basis that the SH Decision did not take account of overriding US legislation that permits US authorities (such as the NSA) to have access to personal data of EU citizens.
- The data protection authorities (“DPAs”) in the EU are not (and should not be) fettered by the Commission’s decision on the adequacy of US Safe Harbor (or the data protection laws of other third countries) to provide protection when personal data is transferred outside of the EU. Therefore, DPAs can and should be free to investigate the adequacy rulings of third countries (including the adequacy of Safe Harbor) in response to complaints.
However, the CJEU Ruling does make one crucial divergence from the Opinion – According to the CJEU, DPAs do not have the power to rule whether a decision of the Commission in relation to adequacy, is invalid. This power solely resides with the CJEU and therefore, where following an investigation, a DPA has concerns in relation to a decision of the Commission, it must refer these concerns to the CJEU, which will rule on the matter. This is crucial as it allows for harmony in the way Commission decisions are applied across Europe (as opposed to each member state independently determining whether such decisions apply in its jurisdiction).
The Case stemmed from a complaint made by Maximillian Schrems (an Austrian citizen) to the Irish Data Protection Commissioner (the “Irish DPA”).
Like all Facebook users resident in Europe, Mr Schrems’ user profile and personal data is collected by the firm’s Irish subsidiary, from which it is then transferred to the servers hosted by Facebook Inc. in the US – this transfer is conducted on the basis of Facebook Inc.’s Safe Harbor certification. Following the NSA revelations revealed by Edward Snowden (the “PRISM Scandal”), Mr Schrems complained to the Irish DPA that the US and the Safe Harbor regime did not offer ‘adequate’ protection for the personal data of EU citizens if the US authorities could use that data for nonspecific surveillance and monitoring operations.
The Irish DPA rejected this claim on the basis that the SH Decision had already deemed Safe Harbor adequate and therefore companies, like Facebook (which transfer personal data on the basis of Safe Harbor) provide adequate protection of that data.
Not to be perturbed, Mr Schrems sought judicial review by the High Court of Ireland, which in turn sought direction from the CJEU. The High Court of Ireland asked whether the Irish DPA was bound by the SH Decision and if, therefore, the SH Decision prohibited the Irish DPA from (a) investigating complaints that transfers of personal data to the US, pursuant to Safe Harbor, are not adequately protected; and (b) suspending transfers of such data pursuant to Safe Harbor.
On 23 September 2015, the AG released his Opinion on the Case, in which he considered the SH Decision to be invalid and that DPAs should and do have the power to investigate complaints in relation to any decision of adequacy issued by the Commission, and suspend transfers to the relevant recipient jurisdiction if, following investigation, the DPA finds no adequate protections for personal data exist.
While many expected the CJEU to follow the Opinion in part, it is perhaps unexpected (and should cause significant ripples across the privacy sphere) that the Ruling so resoundingly invalidates the SH Decision.
The Ruling in detail
The EU Commission’s Safe Harbor adequacy decision
As previously noted, the Ruling finds that the SH Decision is now invalid. However, perhaps more significantly, the CJEU appears to state that the Commission erred in its original finding that the Safe Harbor scheme provided ‘adequate’ protection, by not concluding that the US (via Safe Harbor) ensures a level of protection to fundamental rights essentially ‘equivalent’ to that guaranteed within the EU. This could potentially mean that the SH Decision has always been invalid.
In making its determination on the validity of the SH Decision, the CJEU examines the definition of ‘adequacy’ and (following the Opinion of the AG) states that:
“…the term ‘adequate level of protection’ must be understood as requiring the third country [in this case the US] in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental right and freedoms to that guaranteed by the European Union by virtue of [the EU Privacy] Directive 95/46 [(the “Directive”)] read in the light of the Charter [of Fundamental Rights (the “Charter”)].”
The CJEU highlights the fact (as revealed by the PRISM Scandal) that US authorities are lawfully permitted to conduct large-scale monitoring and collection of EU citizens’ personal data that has been transferred to the US. On the basis that such collection of data/monitoring in the US is pursuant to public interest and law enforcement interests, which prevail over the requirements of the Safe Harbor scheme, the CJEU notes that US entities are, accordingly, “bound to disregard, without limitation, the protective rules laid down by the [Safe Harbor] scheme where they conflict with such requirements”.
Further, the CJEU observes that such US legislation does not provide for any possibility for an individual data subject in the EU to pursue legal remedies against the US authorities for the processing of their personal data, including a right of access to such data and/or the ability to obtain rectification or deletion of such data.
In light of the above, the CJEU does not consider that the SH Decision of the Commission took into account the existence of rules in the US that, in effect, enable interference (by US public authorities) of the fundamental right to privacy enjoyed by EU citizens, as set out in the Directive based on Articles 7 and 8 of the Charter, and therefore ‘adequacy’/’equivalency’ cannot exist.
By referring to the Charter and not just the wording of the Directive, which is soon to be replaced by the General Data Protection Regulation (the “GDPR”), the CJEU does not limit this Ruling to the life of the Directive. Therefore, it seems almost inevitable that this Ruling will have an impact on the provisions of the GDPR, which are still being negotiated.
Independence of Data Protection Authorities
Following the Opinion of the AG, the CJEU has ruled that DPA’s in each Member State “must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the Directive”.
Therefore, DPAs should and do have authority to investigate complaints raised regarding any decision of the Commission in relation to the adequacy of a third country (i.e. not just the SH Decision in relation to the adequacy of Safe Harbor but all decisions relating to the adequacy of data protection laws in countries outside the EU).
Further, dependent on the outcome of such investigations, the DPAs may refer their findings to the CJEU, which will ultimately rule on whether the adequacy decision of the Commission still stands. This is different to the Opinion of the AG, who considered that each DPA should have the authority to suspend transfers of personal data to the relevant jurisdictions if that DPA (alone) finds that the decision of adequacy by the Commission is not valid. The CJEU were at pains to stress that it did not share this view and that only the CJEU has the power to rule against a decision of the Commission. The CJEU notes that:
“…the exclusivity of [the CJEU to provide such a ruling, has]…the purpose of guaranteeing legal certainty by ensuring that EU law is applied uniformly.”
Returning to the question originally posed by the High Court of Ireland (i.e. is the Irish DPA - and by implication, any other DPA - bound by decisions of the Commission and thereby prohibited from investigating complaints and suspending transfers of data?) the CJEU’s Ruling is clearly that:
- Yes, DPAs are bound by decisions of the Commission (including the SH Decision).
- However, DPAs are entitled to act independently to investigate complaints in relation to Commission decisions (without summarily dismissing them) and, where appropriate, refer the matter to the CJEU for further consideration.
- DPAs do not have authority to make their own ruling on the validity of Commission deceisions and cannot suspend transfers of data on that basis, without the CJEU first ruling that the relevant decision is invalid.
Therefore, in closing its Ruling, the CJEU has requested that the Irish DPA consider the transfers of personal data referred to in the Case and determine whether, in light of the CJEU’s ruling that the SH Decision is invalid, such transfers were (and are) conducted with adequate protections in place.
Presumably the Irish DPA will only be able to conclude that the transfers were not adequately protected if, at the time, no other adequate protection mechanisms were in place. Even if other contractual mechanisms were adopted, it may now have to consider whether they are ‘adequate’.
What are the consequences now Safe Harbor is invalid?
The impact of this Ruling is far reaching. Not only for the thousands of companies that have themselves certified under the Safe Harbour scheme but for the many thousands more that trade with those businesses and disclose personal data to them believing they can do so lawfully. The Safe Harbor scheme underpins a lot of international trade and services, in particular the use of cloud and other technology based services, so its impact will be felt across most sectors.
Following the Ruling, this afternoon the Commission held a press conference at which it appeared to confirm that Safe Harbor is immediately invalid, by noting that “transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data [for example, EU Model Clauses and Binding Corporate Rules]”. Therefore, reliance solely on Safe Harbor certification as from today will presumably not be lawful and no ‘sunset period’ will be granted while such other adequacy mechanisms are implemented by affected businesses.
The Commission went on to say that it “…will come forward with clear guidance to [DPAs] on how to deal with data transfers to the US in light of [the Ruling]”.
Accordingly, it seems unlikely that any DPA would instigate enforcement action against any companies relying on Safe Harbor for the immediate future or until such guidance is published (although technically they could). Indeed, the Commission stated that the to-be-published guidance aims to avoid a ‘patch-work’ interpretation of the Ruling across Europe. However, DPAs may find their hands tied if disgruntled affected individuals start issuing complaints on the basis of this Ruling. Further, individuals could also issue claims directly against those companies transferring their data without alternative protective mechanisms in place or an applicable exemptions. Though in practice hitherto there hasn’t been much in the way of claims activity.
What should you do?
In practical terms, those relying on Safe Harbor should take immediate steps to implement their ‘Plan B’ and ensure adequate protection by entering into EU Model Clauses or (where transfers are made internally within the group) considering Binding Corporate Rules. Careful consideration will need to be given as to how to approach transfers to vendors and whether these contractual alternatives will be workable.
It is also important to note that the CJEU (like the AG in giving his Opinion) refers to ‘adequacy’ as meaning ‘equivalency’ with EU laws. Technically, other transfer mechanisms (such as EU Model Clause and Binding Corporate Rules) do not provide ‘equivalent’ protections to the personal data of EU citizens or grant equivalent rights to such individuals in relation to their personal data once it has been transferred. Further, the CJEU has based its Ruling that the SH Decision is invalid on the fact that generalised collection/monitoring of EU data by US authorities does not represent equivalency with EU laws and fundamental rights. Neither EU Model Clauses nor Binding Corporate Rules restrict the ability of US authorities to obtain the personal data of EU citizens, therefore such mechanisms may themselves be vulnerable to assertions that they provide no greater ‘adequacy’/’equivalency’ than Safe Harbor in this regard.
Therefore, it will be interesting to see whether any DPAs receive complaints that transfers based on such alternatives mechanisms also do not provide ‘adequate’/‘equivalent’ protection – and how DPAs (and ultimately the CJEU) will approach such complaints. There may need to be an entire re-think on the European approach to ensuring protection to personal data in countries outside the European Economic Area.
Finally, prior to the Ruling, the Commission was in negotiations with its US counterparts in relation to the future of the Safe harbour scheme and the Commission has, this afternoon, confirmed those negotiations will continue. Today’s Ruling will surely accelerate the speed at which these negotiations progress and, accordingly, there may be a replacement to Safe Harbor in the future but, for now, businesses should look to their ‘Plan B’.