A common feature in data privacy laws around the world, such as Singapore’s Personal Data Protection Act 2012 (“PDPA”), Australia’s Privacy Act and Privacy Principles, and Canada’s federal Personal Information Protection Act, is the imposition of limitations on the transfer of personal data outside of that jurisdiction.
While the exact provisions of this limitation may vary, the fundamental principle is often the same - the transferring organisation may not transfer personal data out of the country (the “Origin”) to an overseas recipient unless it can ensure that the personal data transferred is afforded a standard of protection that is sufficiently comparable to that under the data privacy laws of the Origin. This is often effected through contractual means imposing obligations on the recipient to comply with the data privacy laws of the Origin, or by ensuring that the jurisdiction in which the recipient is located has domestic data privacy laws that are substantially similar to that of the Origin.
Similarly, under the EU Data Protection Directive, Directive 95/46/EC, the transfer of personal data to countries outside of the European Economic Area (“EEA”) is prohibited unless that country is able to ensure that an adequate level of protection is afforded to the personal data so transferred.
In light of the above prohibition imposed by Directive 95/46/EC, and in recognition of the need to facilitate data flow between the EU and the US, the European Commission (“EC”) issued Decision 2000/520 on 26 July 2000. This decision sets out the EU-US Safe Harbour regime, a self-certification process that allows for the transfer of personal data from the EU to US organisations that have voluntarily committed to adhere to certain data protection principles that have been agreed upon between the EC and the US Department of Commerce, and which would have been otherwise prohibited by Directive 95/46/EC given that the US does not have a comprehensive data protection regime in place.
This essentially would allow an EU organisation to transfer personal data of individuals to a US organisation which has self-certified that it is safe harbour compliant, without the need to execute a data transfer agreement or a set of binding corporate rules prior to such a transfer, and for the past fifteen (15) years, has been relied on by many EU organisations to transfer personal data to the US.
However, on 6 October 2015, the Court of Justice of the European Union (“CJEU”) issued an earth shattering ruling invalidating the EU-US Safe Harbour regime for trans-Atlantic transfers of personal data. The invalidation of the EU-US Safe Harbour regime effectively means that all transfers of personal data to the US by organisations in the EU that rely on the EU-US Safe Harbour regime are technically unlawful, and would henceforth need to be effected through other means.
In this client update, we briefly introduce the background of the case, the key points of the judgment and the main implications resulting from the judgment.
Background of the Case
The genesis of the case was a complaint to the Irish Data Protection Commissioner (“IDPC”) on 25 June 2013 by an individual, Max Schrems, claiming that the transfer of personal data by Facebook Ireland to servers in the US belonging to Facebook Inc. should be prohibited as the personal data was not adequately protected. This assertion was made in light of the revelations by Edward Snowden relating to the US government’s surveillance and intelligence activities over personal data held in the US by US based organisations.
The complaint was initially rejected by the IDPC on the grounds that the claim was unfounded, and that the IDPC was bound by Decision 2000/520 where the EC had determined that the EU-US Safe Harbour ensured an adequate level of protection over personal data transferred to the US.
Following an appeal by Max Schrems to the High Court of Ireland, this case was referred to the CJEU as it concerned a question of the implementation of EU law.
Key Points of the Judgment
In deciding the case before it, the CJEU examined Decision 2000/520 and found that, inter alia:
- the EU-US Safe Harbour regime applied only to self-certified US organisations and not to US governmental agencies, which were able to access and process personal data transferred from the EU in a way that was “incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security”;
- the individual to whom the personal data relates had no means of legal recourse against such actions by the US governmental agencies;
- the meaning of “adequate level of protection” had to be understood as providing a level of protection, by reason of a country’s domestic law or international commitments, that was “essentially equivalent” to that provided for in the EU’s Data Protection Directive; and
- the EC had not stated that the level of protection afforded to personal data in the US by “reason of its domestic law or its international commitments” was in fact adequate.
In light of the above, the CJEU held that Decision 2000/520 and consequently the EU-US Safe Harbour regime were invalid.
Main Implications of the Decision
The effects of the CJEU’s decision is expected to be felt in particular by organisations in the EU (including EU sited subsidiaries of US parent companies) that currently rely on the EU-US Safe Harbour regime to transfer personal data to the US, which now have to implement other means of legitimising their transfer of personal data, such as through a data transfer agreement or through binding corporate rules, and are also faced with the possibility of investigations and sanctions by their national authorities relating to such data transfers.
In one fell swoop, the edifice of legitimacy of personal data transfers from EU organisations to the US has been demolished and this leaves many affected organisations scrambling to put in place other measures to legitimize continued personal data transfer. The stoppage of personal data transfers would certainly impact on organisations’ existing business processes as well as contractual commitments. Whether these organisations can argue force majeure in seeking to claim forgiveness for any contractual lapses arising from the CJEU’s decision would need to be explored.
As stated above, Singapore’s PDPA similarly prohibits transfers of personal data outside of Singapore unless the transferring organisation can ensure that overseas recipient can provide a standard of protection that is comparable to that under the PDPA. Although organisations in Singapore are unlikely to be directly affected by this judgment, it does provide some insight on the difficulty in navigating cross country personal data transfers amidst the complex web of different data protection regimes in place in various countries as well as the inherent volatility in this everchanging landscape. One thing is for sure – nothing is cast in stone as far as data privacy law is concerned. With continued developments in technology and the burgeoning mining of personal data for commercial use, it is certain that data privacy law in Singapore as well as in other parts of the world will continue to evolve.