Earlier this month, the Court of Justice of the European Union (CJEU) delivered two judgments in the space of a week which have profound effects for any EU-based business which processes personal data.
In Schrems v Information Commissioner the CJEU held that the Safe Harbor arrangements between the EU and the US is invalid, which means that any EU business that transfers personal data from the EU to the US now risks regulatory censure.
In Weltimmo v Hungarian data protection authority the CJEU took a broad approach to the concept of "establishment", reinforcing the message that businesses based in the EU may be subject to the data protection laws of a wider range of EU Member States than they realise.
Schrems v Information Commissioner
EU data protection rules prohibit EU companies that hold and use personal data for their own purposes (data controllers) from transferring personal data to countries outside the EEA that do not protect personal data in a similar manner to the EU (Data Transfer Prohibition).
The USA is a country which is deemed by the EU not to adequately protect personal data.
However, a scheme has been set up in the USA called the Safe Harbor scheme that allows US companies to self-certify that they protect personal data in a similar manner to EU companies; and an EC decision in 2000 provides that EU companies can transfer personal data to US companies that are participants of the Safe Harbor scheme without breaching the Data Transfer Prohibition (EC Decision 2000/520).
The Safe Harbor principles allow US companies to not adequately protect personal data where to protect such data would breach US law. Following the Edward Snowden revelations, it has become clear that the US government has established a program, under the umbrella of national security, which gives it unrestricted rights to intercept and survey data (including personal data) held by Safe Harbor participants in the US.
The CJEU decision in Schrems held that this unilateral right of surveillance meant that Safe Harbor participants could not, in reality, offer adequate protection for personal data and that, as a result, EC Decision 2000/520 is invalid.
The immediate implication of Schrems is that EU companies can no longer rely on EC Decision 2000/520 to transfer personal data to US companies that are participants of the Safe Harbor scheme. Transfer arrangements that EU companies currently have in place that rely on EC Decision 2000/520 will need to be restructured, whilst future arrangements will not be able to rely on the Safe Harbor arrangements.
However, our view is that the implications of Schrems go much wider than just the invalidity of EC Decision 2000/520, calling into question the validity of any transfer of personal data to companies located in the US. US companies (Safe Harbor or not) cannot escape or opt out from the current US surveillance programs and so it is difficult to see how any form of transfer (whether by the EU model contract clauses route or otherwise) can be said to adequately protect personal data, based upon the views expressed in Schrems.
It also raises alarm bells about how many other non-EU countries have similar surveillance programs to the US, also calling into question the validity of transferring personal data to those countries by any means.
One thing is for sure – Schrems has put the onus back on EU companies to ensure that transfers of personal data outside the EEA do not breach the Data Transfer Prohibition. Companies will not be able to blindly rely on Safe Harbor arrangements or EU model contract clauses to justify transfers and will have to take a more active role in assessing the impact on data subjects of transferring personal data outside of the EEA – through means such as initial due diligence and ongoing compliance monitoring.
Weltimmo v Hungarian data protection authority
One of the cornerstones of current EU data protection legislation is that EU data controllers only have to comply with the data protection rules in the country in which they are established.
The Weltimmo case looked at whether a company which was registered in Slovakia but operated a property website written in Hungarian and designed for the advertisement of properties in Hungary had to comply with data protection laws in Hungary in relation to its business activities in Hungary.
The CJEU decision in Weltimmo took a broad view of the concept of establishment and held that this concept was not confined to a data controller's country of registration. So long as a data controller exercises a real and effective activity in another Member State through, in the Court's words, "stable arrangements", the data protection laws of that Member State could apply. On the facts, the CJEU considered that Weltimmo's arrangements in Hungary were sufficiently stable that it could be said to be established there and, as a result, subject to the Hungarian data protection regime.
Whilst the decision in Weltimmo is not that surprising to seasoned data protection practitioners, it does emphasise that, whilst if you are an English registered company you will clearly be "established" in the UK it does not follow that non-registration in other Member States will automatically lead to you not being "established" in those States.
This is of particular relevance to EU companies that have branches or places of business in a number of Member States or that sell goods or services in a number of Member States via a main establishment in one Member State (in particular, via the Internet).
For such businesses, it is easy to assume that you are only established in one place, whereas this may not be the case in reality.
The Schrems case has created a lot of uncertainty about data transfers outside of the EEA.
The Article 29 Working Party (an independent advisory body on data protection and privacy composed of, amongst others, representatives from the data protection authorities of the EU Member States) has recently issued a statement on the Schrems case calling upon the EU Member States and institutions to open discussions with the US authorities as a matter of urgency and confirming that, in its view, data transfers to the US by way of the EU model contract clauses is the best current solution available to EU-based data controllers.
The UK Information Commissioner has also indicated that it will issue further guidance following Schrems in the coming weeks, which is a welcome development.
In the meantime, it is clear that US data transfer arrangements you have in place that rely on the Safe Harbor scheme are now unlawful. You should be terminating or replacing these arrangements and, more broadly, you should be looking at your current data transfer arrangements and policies and considering taking a more active role in putting in place and policing your data transfer arrangements to help ensure that transferred data is adequately protected.
You should also keep track on a data protection case involving Microsoft which is currently working its way through the American court system. In this case, the US Government has demanded access to any data held by organisations whose parent companies are based in the US irrespective of whether that data is held inside or outside of the US. If the US Government succeeds in this action, this will be a significant development that may call into question the legality of an EU data controller transferring personal data to a business that is part of a US group, irrespective of where that data is ultimately going to be held.
Finally, the Weltimmo decision should act as a reminder to look afresh at how you operate within Europe to make sure you are clear on which Member State data protection laws you need to comply with in respect of those operations.
Schrems, Microsoft and Weltimmo highlight the continuing difficulties and complexities in dealing with cross-border data protection issues.