The judgment of the Court of Justice of the European Union in Case C-362/14 on Safe Harbour published on 6 October 2015 repealed the decision that had introduced the Safe Harbour agreement.
What is the Safe Harbour agreement and why is it important?
The regulatory regime on data protection in the USA is significantly different from the regulations adopted in the European Union and in its Member States. Pursuant to the European regulations, personal data are allowed to be transferred to a third country only if the data subject has given his consent or if the protection of the personal data is on an adequate level when they are processed.
The European regulation and its Hungarian counterpart (i.e. the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information, hereinafter referred to as: ’Info Act’) definitely provide the criteria when protection is considered as adequate. According to the Info Act, protection is adequate when it is so declared by a binding legal act of the European Union or when an international treaty is in force between the third country of destination and Hungary or where there are organisation-wide internal regulations at place. (This is the so-called Business Corporate Rules (BCR) – introduced in Hungary by the last amendment of the Info Act as of 1 October, 2015 which allows multinational companies to transfer data within their own groups of companies.)
According to the European Commission, adequate protection of personal data is deemed as secured in the USA in two cases only:
- when data transfer was made to an American company that is listed on the Safe Harbour list i.e. which company undertook to comply with the ‘safe harbour’ data protection principles issued by the US Government regarding personal data protection;
- when data serving the registration of passengers are transferred to the US Customs and Border Protection.
Upon a US company having been put on the Safe Harbour list, it has been considered as safe by the European Union from then on.
The Safe Harbour Decision
The legal ground of the Safe Harbour regime was established by the 2000/520/EC Commission Decision of 26 July 2000 adopted in accordance with the Directive 96/46/EC (Data Protection Directive). This Decision also includes those data protection principles which must be followed by companies resident in the USA when they process personal data originating from the European Union. This means that the Safe Harbour agreement made it possible to transfer the personal data of European citizens to the USA with the anticipation that the country of destination ensures data protection for the citizens of the EU Member States at an adequate level.
In practice, it meant that any company on the Safe Harbour list had to submit itself voluntarily to and be bound by a regulation consisting of seven points. However, as it had not been clearly defined by whom and how control of such companies’ observance of the rules should be exercised and therefore, the safety of the data managed and processed under the regime of the Safe Harbour agreement has been largely disputed.
The main objection to the Safe Harbour agreement was that it took no notice of the USA regulation based on which the USA authorities (like NSA – National Security Agency) had access to the personal data of EU citizens and could process them in a way which might irreconcilably contradict the original purposes of their transfer. On this basis, the American authorities have been allowed to follow practices leading to potential detriment to fundamental rights of EU citizens.
The background of the case
In 2013, after the Snowden scandal had broken out, an Austrian university student Max Schrems turned to the Irish Data Protection Authority as the body supervising Facebook in Europe and claimed a check on Facebook whether it had processed his personal data in accordance with the European regulations when it granted access to the American secret services to the data given to the social website. The Irish authority rejected the claim without having gone into its merits stating that a national government agency had no authority to reconsider any decision of the Commission. Following that, Schrems had brought his case to Irish Supreme Court and then the Irish Court requested a position statement from the Court of Justice of the European Union regarding the case concerned.
The judgment of the Court of Justice of the European Union
In its judgment, the Court of Justice of the European Union repealed the Safe Harbour agreement made by the European Commission, and Schrems’ claim was returned to the Irish Data Protection Authority with a ruling that it has to examine the question in merit. The Court declared that the Safe Harbour framework did not harmonise with the laws of the European Union, as the data were not protected on an adequate level. The ruling held that national authorities are obliged to examine the substance of claims of this kind.
This must be so, since the Safe Harbour agreement included rulings regarding the data processor only but it does not bind the American authorities. EU citizens were in no way being protected against the collection of their data by the American authorities, the quantity of which often exceeded the interests of national security. On such grounds the Court repealed the Safe Harbour framework.
In its judgment, the Court also held that national data protection authorities in the EU, and accordingly, the Hungarian data protection authority as well, have the right to examine the data protection guarantees of any data transfer to a third country.
The decision of CJEU invalidating the Safe Harbour Decision emphasizes that national data protection authorities of the Member States do have the power to examine data transfers to abroad, i.e. whether the country of destination secures appropriate guarantees when the transferred data are processed. The data protection authorities of the Member States are entitled to exercise their rights even when the European Commission had previously adopted a decision regarding the issue concerned.
Statement of the National Authority for Data Protection and Freedom of Information
The National Authority for Data Protection and Freedom of Information (’NAIH’) released an official statement on 6 October 2015, (http://naih.hu/files/2015-10-06-Kozlemeny---Safe-harbor.pdf) wherein it welcomed the judgement of the CJEU and pointed out that as a consequence of the judgement, all data transfers to the USA must be substantially re-addressed.
In its statement the NAIH also pointed out that it will further revise its own agenda on the basis of the judgement and collaborates with the data protection authorities of the other EU Member States with the aim of adopting a uniform position. An extraordinary meeting dedicated to this issue has already taken place and then the leaders of the national authorities will endeavour to work out a common opinion in a plenary session soon.
The Impact of the Decision
The impact of the decision of the Court of Justice of the European Union is unforeseeable at present as all data transfers to the USA are affected by the judgment (including, among others, those of so well-known companies as e.g. Facebook, Google, Yahoo, etc.) which exploited the Safe Harbour regime. The use of the Safe Harbour regime has been quite widespread for data transfer in the fields of international trade and services and therefore, the judgement has an impact on practically all economic sectors. The problem is to be dealt with by all companies which – consciously or unconsciously, through its subcontractors –in some form stores or handles data in the territory of the USA. The development of the regulation is to be monitored and the companies must be prepared for implementing the changing rules. Therefore, the situation is complex at the moment and the affected players must be alert and striving to find legitimate and feasible solutions for data transfers to the USA within the shortest possible time.