On 6 October 2015, the Court of Justice of the European Union (ECJ) handed down a judgment relating to transfers of personal information from the EU to the US. The judgment is seen by many as a 'landmark' decision, a 'bombshell'. In this post, we answer some key questions about the judgment, including what the implications are for transfers of personal information to and from the US and Australia.
What's the case all about?
The EU Data Protection Directive provides that personal data may only be transferred to a country outside the EU if the third country ensures an adequate level of protection of the data. Some of the exceptions to this rule are considered later in this post.
The US does not have a general data protection law that ensures an adequate level of protection of personal data transferred from the EU. However, in 2000, the European Commission adopted a decision to the effect that personal data could be transferred to the US if organisations comply with certain safe harbour privacy principles and FAQs providing guidance for the implementation of the principles (together, the Scheme) (US Safe Harbour Decision). US organisations could self-certify their adherence to the Scheme.
Organisations that were self-certified under the Scheme included global giants Facebook, Google, Amazon and Twitter, along with around 4,400 other companies.
The validity of the US Safe Harbour Decision was challenged by a Facebook user who took the view that, in light of the revelations made in 2013 by Edward Snowden, United States law and practice does not offer sufficient protection against surveillance by law enforcement and other public authorities of the personal data transferred to the US.
What did the ECJ decide?
There was a preliminary finding as to the effect of a European Commission decision (e.g. the US Safe Harbour Decision). However, for present purposes the key finding was that the US Safe Harbour Decision is invalid.
It is clear from the ECJ's decision that it is concerned about the surveillance conducted by US federal agencies, particularly the National Security Agency. Factors that influenced the ECJ's finding of invalidity included the following:the Scheme was only applicable to those organisations that adhered to it (e.g. self-certify), and it did not apply to US public authorities; US national security, public interest and law enforcement requirements prevailed over the Scheme, and organisations were bound to disregard the Scheme where it conflicted with such requirements; US authorities were able to access personal data transferred from the EU and process the data in a manner beyond what was strictly necessary and proportionate to the protection of national security; and there was no administrative or judicial means enabling affected individuals to access their personal data and obtain the rectification or erasure of it.
What are the implications for transfers to and from the US?
The EU Data Protection Directive applies to a 'controller' not established in the EU where the controller, for the purposes of processing personal data, makes use of equipment, automated or otherwise, situated on the territory of a member State. As such, an organisation that uses equipment in the EU for the purpose of processing personal data may be covered by the Directive, regardless of whether the individuals affected are EU citizens or not, or physically present in the EU or not.
Given the wide breath of the application of the Directive, any US organisations that make use of a cloud network with EU servers may be impacted by the ECJ's decision. In addition, transfers of personal data to and from the US may also be affected.
The result of the ECJ decision is not that transfers of personal data from the EU to US are prohibited entirely. Instead, transfers can continue, but additional steps will need to be taken to ensure the transfer is permitted under the EU Data Protection Directive via an exception to the general rule regarding overseas transfers. These additional steps are likely to be burdensome as compared with compliance with the Scheme.
Organisations transferring personal data from the EU to the US are likely to rely on one of the following exceptions to the rule that personal data may only be transferred to a third country if the third country ensures an adequate level of protection of the data:consent: the individual about whom the data relates has unambiguously consented to the transfer. The consent must be express, prior and informed, creating difficulties in obtaining consent for information collected in the future and making it practically impossible to obtain consent for personal data that has already been collected (ie personal data collected by previously self-certifying US organisations); or contractual and other measures: there are adequate safeguards to protect privacy and fundamental rights and freedoms of individuals, such as safeguards resulting from appropriate contractual clauses. For a contract to meet this criteria, it would have to bind the organisation receiving the data to meet the EU requirements for data practices, such as the right to notice, access and legal remedies.
The are 'Model Contracts' for the transfer of personal data to third countries that use a standard language approved by the European Commission. However, there is speculation that the European Commission's approval of the Model Contracts could also potentially be invalidated. In addition, a multinational group of companies can apply for approval of 'Binding Corporate Rules' (BCR) which are internal rules which define the groups' global policy with regard to international transfers of personal data within the group. However, the BCR approach is limited in that it does not encompass transfers made outside the group.
Of course another option is simply not to transfer personal data outside the EU. However, this may not always be a practical option.
It is not clear whether there will be a change in transfers of personal data from the US as a result of the ECJ decision. However, we may see that US organisations that receive personal data from the EU will require parties to whom they transfer personal information to implement similar protections as the US organisation is now required to implement for compliance with the EU Data Protection Directive.
What are the implications for transfers to and from Australia?
Australian organisations that rely on US service providers that self-certified under the Scheme for cloud-based data storage operations may be impacted by the ECJ's decision, if a service provider makes use of US and EU servers. In addition, there may be implications for other transfers of personal information to and from Australia.
Australia does not have a safe harbour scheme with the EU, and our privacy laws do not ensure an 'adequate level' of protection of personal data transferred from the EU due to, amongst other things, the small business and employee records exemptions under the Privacy Act 1988 (Cth) (Privacy Act). In addition, the Privacy Act provides that an act done or practice engaged in outside Australia does not breach an Australian Privacy Principle (APP) if the act or practice is required by a law of a foreign country. A law of a foreign country includes the US laws that permit US federal agencies to require organisations to provide the agencies with access to personal data for national security and other reasons (that is, laws that permit exactly the kind of surveillance that the ECJ is concerned about). This perhaps now puts the nail in the coffin of Australia being considered, from an EU perspective, to reach an 'adequate level' of protection of personal data.
It is unlikely that the ECJ decision will have any impact on the transfer of personal data from the EU to Australia (unless this happens via the US). Such transfers need to fall within an exception to the general prohibition against transfers to Australia (such as where there is consent or adequate contractual measures are in place). However, as discussed above, there may be an implication for transfers from the US to Australia, as US organisations may require Australian recipients to implement similar protections as US organisations receiving personal data from the EU are now required to implement.
Transfers from Australia will continue to be regulated by APP 8 under our Privacy Act (provided the transfer is a 'disclosure'). Interestingly, the contractual provisions that Australian organisations use as a 'reasonable step' to ensure an overseas recipient does not breach the APPs (as part of compliance with APP 8.1) may become more acceptable by recipients located in the US, who are likely to become more accustomed to such provisions as a result of the ECJ decision. For more information on Australian Privacy Principle 8, see our blog post on dealing with overseas companies, which can be found here.