The Court of Justice of the European Union (CJEU) has handed down its decision in the Schrems case. The Court agrees with the Advocate General (AG) and says that:
- DPA Decision: the fact that the EU Commission had made a Decision (2000/520/EC) to approve the US Safe Harbor does not prevent national data protection authorities from investigating claims in connection with it; and
- Safe Harbor Decision: the Commission's decision (2000/520/EC) on the Safe Harbor is invalid.
Since the Court decision on Tuesday 6 October 2015, the ICO has issued a press release. It says that businesses should review how data is transferred to the US but that it recognises this will take some time. The ICO also reminds everyone that Safe Harbor is not the only basis for data transfers and that the ICO is considering the judgment in detail and working with counterpart data protection authorities in other EU member states to issue further guidance for businesses on the options available. Clearly, the message is: "Don't Panic". The Commission said the same thing in its press conference on the day of the Decision.
Max Schrems (Austrian privacy campaigner) made a complaint to the Irish Data Protection Authority (DPA) based on the Snowden revelations in relation to information stored by Facebook. The Irish DPA dismissed the complaint because the relevant transfer was covered by Safe Harbor. The matter was then referred to the Irish High Court which clearly had some sympathy with Schrems' concerns but which referred the matter to the CJEU for a ruling.
DPA decision: DPAs can investigate independently
The Court decided that the existence of a Commission Decision on the Safe Harbor should not trump DPAs' rights to investigate independently. Much was made (both by the Court and the AG) of the need to interpret the law in the light of "the fundamental rights guaranteed by the Charter". This refers, in particular, to Article 7 of the Charter of Fundamental Rights (respect for private life) and Article 8 of the Charter (protection of personal data). The Court leans heavily on the Charter in justifying its "reassessment" of Safe Harbor.
What does this mean?
We see a number of issues. Does it convert DPAs from administrative enforcement agencies to quasi-judicial bodies? Note, DPAs can already make assessment decisions. Also, how will this work with the General Data Protection Regulation (GDPR) under which the Commission will have power to make secondary legislation? That model for secondary legislation under the GDPR may need to be reviewed.
More importantly, does this create the risk of particular DPAs firing off country-specific investigations and "local decisions" on data transfers? Clearly, this would not be good for Europe's digital economy. The Commission was at pains to point out in their press conference that there will be guidance issued to ensure clarity and certainty. This will be welcomed by business. The sooner we get the guidance the better. Interestingly, paragraph 48 of the Court's decision references the importance of the transfer of personal data overseas as being necessary for the expansion of international trade. We agree.
Safe Harbor decision
Mr Schrems' contention was that US law and practice do not ensure an adequate level of protection within the meaning of Article 25 of Directive 95/46. As mentioned above, the Irish Court seemed to have some sympathy with this.
The Court raised a number of concerns with Safe Harbor. First, the Court highlighted Annex 1 (fourth paragraph) of the Safe Harbor decision which says that Safe Harbor principles may be limited to the extent necessary to meet national security, public interest or law enforcement requirements or by statute, government regulation or case law provided that this is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation. The Court concluded that this means that US law trumps Safe Harbor in the event of conflict. We don't think that this is so "black and white", but nevertheless that was the Court's decision.
The Court also criticised the Commission's original Decision in that it didn’t contain a finding regarding US law striking the right balance with privacy rights. Similarly, the Court was not persuaded that there was any independent body in the US with power to regulate outside of the Safe Harbor regime. Then, again, how often do the EU DPAs take action in relation to EU national governments on similar issues? There has been commentary recently suggesting that, as a matter of fact, US anti-terrorism law is actually more restrictive than that applicable in the EU. This has not been considered by the Court.
The Court was also influenced by the Commission's own position that Safe Harbor needs an upgrade. Hence the 13 recommendations published by the Commission eighteen months ago and the ongoing negotiations with the US.
In this context, the Court basically took the view that "legislation permitting public authorities to have access on a generalised basis to the content of electronic communications" is a breach of Article 7 of the Charter. Similarly, the Court focused on the absence of the ability to pursue legal remedies to also be a breach of the Charter. The Court therefore decided that decision 2000/520 "fails to comply with the requirements laid down in … Directive 95/46".
Article 3 of Decision 2000/520
Interestingly, Article 3(1) of the Safe Harbor Decision lays down specific rules regarding powers available to national data protection authorities in light of a Commission finding as to adequacy. Specifically, this established a higher threshold before the national DPAs could intervene. However the Court decided that this should not be allowed to restrict national Data Protection Authority powers under the Directive so the broader approach to when DPAs can intervene applies. This somewhat flies in the face of the terms of the actual Safe Harbor Decision. Nevertheless, that was the Court's finding.
What does this mean for Safe Harbor companies?
There are currently 4,465 companies signed up to the self-certification Safe Harbor regime. Technically, the Safe Harbor data export permission no longer applies. Companies therefore need to find alternative legal bases for data exports from Europe to the US. The Commission, in its press conference, has said it is important that transborder data flows continue and that guidance will be published for EU businesses to ensure clarity and certainty. The Commission has also said that it is "well advanced" in agreeing a new Safe Harbor 2.0 package. Apparently it was near to agreeing this before the summer but needs more time to finalise the national security exemptions. So this is absolutely not any kind of international data war. The Commission could not give any time frame, however, for finalising Safe Harbor 2.0.
In the meantime, we advise businesses to do the following:
- Review (or audit) current data flows to the US where you currently rely on Safe Harbor (including intragroup and contracts with vendors). We know that some of the large vendors are already offering model contracts for their corporate customers.
- Prioritise those data flows which involve the largest transfers or involving the most sensitive data.
- Consider implementing model contracts to replace Safe Harbor for those data flows. Timing will depend on guidance issued by data protection authorities. The ICO has said that companies will need time to consider this. It is probably worth waiting for the Article 29 Working Party guidance (which we expect soon).
- Consider likely structure of model contracts (they are generally required to be bi-lateral as multi-party and multi-country agreements can be problematic).
- Keep a paper trail to document the steps you have taken and track progress against it.
Are model contracts a reliable alternative?
For current purposes, at least until Safe Harbor 2.0 is agreed, model contracts are likely to be the best alternative. There is, technically, a risk that local data protection authorities try to unpick some of those transfers as well. However, there are significant differences between Safe Harbor and Model Contracts. Model contracts are much more closely aligned with EU law and, essentially, "export data protection law with the data". So the risk, here, should be much lower. Nevertheless, we think it's worth waiting for the guidance which we expect will provide reassurance on this.
As an aside, the Commission also hinted, yesterday, it plans to have the GDPR finalised this year. This seems optimistic but let's wait and see.