In a landmark judgment in Schrems v Data Protection Commissioner (C-362/14) (October 6, 2015) (“Safe Harbor judgment”), the European Court of Justice (“ECJ”) found the Safe Harbor Decision of the European Commission (Commission Decision 2000/520/EC of 26 July 2000) to be invalid. The invalidity of the Safe Harbor Decision calls into question the legality of large portions of data flows from Europe to the United States and causes considerable legal uncertainty for US companies offering their services in the EU.
Under Art. 25 (1) of the EU Data Protection Directive 95/46/EC (“Directive 95/46”), the central legislation to govern the processing of personal data of European users, personal data of European citizens may be transferred to a non-EU country only if the country in question ensures an adequate level of protection of the data transferred. In its Safe Harbor Decision, the European Commission had decided that the "Safe Harbor Privacy Principles" as provided for by the United States Department of Commerce and its guidance documents (e.g., the FAQs) and procedures ensure an adequate level of protection for personal data transferred from the EU to organizations established in the US provided that these organizations: (1) have unambiguously and publicly disclosed their commitment to comply with the Safe Harbor Principles; and (2) are subject to the statutory powers of a government body in the United States that is empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals.
Such decisions of the European Commission are generally binding for the EU Member States and their authorities. Hence, based on the Safe Harbor Decision, the transfer of personal data of EU citizens to Safe Harbor-certified organizations in the US, which have been treated by virtue of the Safe Harbor Decision as if they were seated in a safe country in the meaning of Art. 25 (1) Directive 95/46, was considered legal. Large portions of the currently existing data transfers from the EU to the US rely for their legitimacy on the Safe Harbor Decision.
The Safe Harbor Judgment of the ECJ
The case before the ECJ was referred by the High Court of Ireland in a case brought by Max Schrems, an Austrian data protection activist, against the Irish Data Protection Commissioner (“IDPC”). Mr. Schrems had asked the IDPC to exercise his powers to prohibit Facebook from transferring his personal data to the United States. The IDPC refused to take action, arguing that it was bound by the Safe Harbor Decision. Mr. Schrems brought an action before the Irish courts, challenging this decision of the IDPC, and the High Court of Ireland referred the case to the ECJ, asking whether the Safe Harbor Decision could indeed be binding to the IDPC, given that “the revelations made by Edward Snowden had demonstrated a ‘significant over-reach’ on the part of the NSA and other federal agencies” on the data transferred from the European Union to the United States.
The ECJ judgment addresses the question of the High Court in two steps:
- In a first step, the ECJ finds that the national data protection authorities (“DPAs”) are always entitled to investigate and assess, upon a complaint of a person concerned, a data transfer to a third country, regardless of whether or not the European Commission has adopted a decision on the adequacy of the level of protection in the destination country (paras. 51-57). Moreover, the ECJ alone has jurisdiction to declare that an EU action, such as a Commission decision, is invalid. This means that a DPA or the person concerned must put forward their objections against a Commission decision before a national court, which in turn may refer the case to the ECJ (paras. 61-65).
- In a second step, the ECJ assesses the Safe Harbor Decision itself and finds it, “without there being any need to examine the content of the safe harbor principles,” to be invalid since the Commission, when adopting it, did not find “duly stating reasons” that the United States does in fact ensure, by reason of its domestic law or its international commitments, an adequate level of protection (paras. 96-98).
The ECJ decision states that an adequate level of protection within the meaning of Art. 25 (1) Directive 95/46 does not require a level of protection identical to that guaranteed in the EU legal order. In order to comply with this standard, however, a country has to ensure a level of protection of fundamental rights and freedoms that is “essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter” (para. 73). According to the ECJ, the Commission did not advance in its Safe Harbor Decision sufficient reasons to the effect that the safe harbor principles actually ensured such standard of protection. Inter alia, the ECJ criticizes that the Safe Harbor Decision: 87),
- lays down that national security, public interest, or law enforcement requirements have primacy over the safe harbor principles (paras. 84-87),
- contains no finding regarding the existence in the United States of rules intended to limit any interference with the fundamental rights of the persons whose data is transferred to the US (para. 88), and
- does not refer to the existence of effective legal protection against interference of that kind (para. 89).
The ECJ decision goes on to hold that this analysis was borne out of the Commission’s own assessments advanced in communications in 2013, which found that the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way that is incompatible, in particular, with the purposes for which it was transferred and beyond what was strictly necessary and proportionate to the protection of national security. The Commission had also noted that the data subjects had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased (para. 90). According to the court, such access was incompatible with the level of protection of fundamental rights and freedoms that is guaranteed within the European Union (paras. 91-95).
The Safe Harbor judgment of the ECJ has the potential to cause a sea-change with respect to how data transfers between the EU and the US will have to be structured in the future. United States organizations cannot at this point rely any longer on a Safe Harbor certification to transfer personal data of European citizens from the European Union to the United States. In addition, the Safe Harbor judgment appears to leave no room for a new industry-driven or certificate-based solution to replace the Safe Harbor, unless the United States guarantees an adequate level of protection, i.e., a protection “essentially equivalent” to the protection afforded in the EU, based on domestic law or its international commitments. The ECJ has made clear that to this end in particular the access of United States authorities to the data of European Union citizens transferred to the United States will have to be limited in line with the requirements set out in the case law of the ECJ.
Short-term solutions will therefore, most likely, have to be based on alternative legal grounds under Art. 26 Directive 95/46 such as, e.g., standard contractual clauses or explicit consent of the persons concerned.
In its first reaction to the Safe Harbor judgment, the European Commission reiterated its determination to find a solution to ensure the continuation of data flows across the Atlantic. It announced it will continue to negotiate with the United States a “Safer” Safe Harbor framework.
In order to mitigate unreasonable legal uncertainty for United States companies facing uncoordinated initiatives by national DPAs that may feel encouraged by the Safe Harbor judgment to suspend data transfer to the US, the Commission also announced its intention to work closely with the DPAs and to issue clear guidance on how to deal with transfer requests or complaints. Whether these political initiatives of the Commission will provide for practical solutions short term is yet to be seen.