The eighth Data Protection principle, derived from Article 25(2) of the EU Data Protection Directive, states that ‘Personal data shall not be transferred to a country or territory outside of the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subject in relation to the processing of personal data’. The EU Commission has found that adequate protection was provided by US bodies self-certifying their adherence to the ‘Safe Harbor Principles’. These Safe Harbor principles broadly reflect the eighth Data Protection principle, but in a recent decision of the Irish High Court (Maximillian Schrems -v- Data Protection Commissioner, Case- C-362/14, 6 October 2015), the EU-US Safe Harbor framework has been declared invalid.
Mr Schrems, an Austrian citizen residing in the EU, was a Facebook user and lodged a complaint with the Irish Data Protection Commissioner arguing that the transfer of his personal data from Facebook’s Irish subsidiary to US servers did not offer sufficient protection. Initially, his complaint was rejected on the basis that it had been established that the Safe Harbor regime afforded adequate levels of protection for data transferred outside of the EEA.
However, the question was raised as to whether this meant that any national supervisory authority (in Mr Schrems’ case, the Data Protection Commissioner for Ireland) was prevented from investigating a complaint that adequate levels of protection were not afforded.
The crux of the European Court of Justice’s judgment in Schrems was that the European Commission decision could not eliminate or reduce powers available to national supervisory authorities. In other words, the Irish Data Protection Commissioner was entitled to ‘examine with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the Directive’.
Further, the Safe Harbor regime operated only where organisations voluntarily adhered to it. US public authorities were not themselves subject to it, and Mr Schrems’ complaint centred on the power of US authorities (in particular, the US National Security Agency) to undertake mass surveillance on personal data.
This reasoning means that the Irish Data Protection Commissioner is required to assess Mr Schrems’ complaint and decide whether transfer of his personal data from Facebook’s Irish subsidiary to the US is a transfer that does not afford an adequate level of protection of personal data.
This judgment has far-reaching implications for any organisation that transfers personal data outside of the EEA to the US. The Safe Harbor framework having been declared invalid, such organisations will have to utilise Model Contract Clauses, Binding Corporate Rules or Binding Corporate Rules for Processers. Other contractual arrangements are also possible and an organisation affected by the ECJ ruling should seek specialist legal advice before transferring or continuing to transfer personal data to the US.
The Deputy Information Commissioner, David Smith, has commented that ‘The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time to do this’. He further states that ‘The ICO will be working with our European colleagues to produce guidance following the European Court of Justice ruling’. It is clear therefore, that the implications of the ECJ ruling are far-reaching and this has been recognised. It remains to be seen whether the ruling will affect the development and implementation of the new EU Data Protection Regulation.