At a glance
The judgment handed down on 6 October 2015 by the Grand Chamber of the Court of Justice of the European Union (CJEU) in the case of Maximillian Schrems v Data Protection Commissioner (C-362/14), has cast great uncertainty on the safety and legitimacy of the transfer of personal data from the EU to the US. The CJEU ruled in this case that the US Safe Harbor framework is invalid, and so can no longer be relied on by organisations to transfer personal data to the US in compliance with EU data protection legislation.
The judgment is likely to have a significant impact on organisations on both sides of the Atlantic, as a significant number of organisations have, until this ruling, relied on Safe Harbor as a legal mechanism for transferring personal data to the US from the EU.
This is a more detailed version of our earlier article on this subject 'A safe Harbor no more?'published on 7 October 2015.
The Data Protection Directive
The Data Protection Directive (95/46/EC) provides a framework in Europe for the protection of personal data and is implemented in the UK by the Data Protection Act 1998 (DPA). Article 25 of the Directive provides that transfers of personal data to a country outside the EEA may only take place where the third country can ensure an adequate level of protection for the data. In the UK this requirement is reflected in the eighth data protection principle under the DPA.
What is Safe Harbor?
The US Department of Commerce developed the Safe Harbor framework in consultation with the EU in 2000, so that any organisation transferring personal data to the USA from an EU Member State could ensure compliance with the Data Protection Directive. The framework contained a set of principles with which organisations agreed to comply and related FAQs. It was a voluntary scheme with organisations choosing to register with it and self-certifying that they met the requirements of the scheme.
Following the development of this framework, the European Commission adopted Decision 2000/520 (the Safe Harbor Decision), under Article 25(6) of the Data Protection Directive which held that the Safe Harbor framework ensured an adequate level of protection for personal data transferred from the EU to any organisations in the US that complied with the framework. The Safe Harbor Decision therefore provided a legal means of transferring personal data to the USA in compliance with Article 25 of the Data Protection Directive (and the DPA).
The Safe Harbor framework has been relied on by many organisations in order to transfer personal data across the Atlantic in a wide variety of situations, from intra-company transfers of employee and customer data to the delivery of financial, IT and cloud computing services.
The judgment of the CJEU
An Austrian citizen, Maximillian Schrems, brought a case before the Irish Data Protection Commissioner, alleging that his personal data held by Facebook was not being adequately protected, as his data, along with the personal data of thousands of others, was being transferred from Facebook’s subsidiary in Ireland to servers located in the US. He claimed that, in light of the revelations made by Edward Snowden in 2013, concerning the activities of the US intelligence services, the US failed to offer adequate protection for his personal data. The Data Protection Commissioner decided that it was bound by the Safe Harbor Decision. The case was then referred to the Irish High Court, who asked the CJEU to consider whether the fact that the European Commission had determined that the Safe Harbor framework ensured an adequate level of protection prevented a data protection regulatory authority from itself being able to examine a complaint from a data subject that, despite the Commission’s finding of adequacy, there was an inadequate level or protection for personal data.
In its decision on 6 October 2015, the CJEU held that the existence of the Safe Harbor Decision, could not restrict the powers available to a Member State’s data protection regulatory authority to examine a complaint concerning whether the US ensures an adequate level of protection for personal data of an EU data subject transferred to it.
Furthermore, and with more immediate consequences, the CJEU held that the Safe Harbor Decision was also invalid on a number of grounds including:
- The fact that the Safe Harbor framework was voluntary meant that it only applied to organisations which chose to adhere to its restrictions on data use. US public authorities were not required to comply with the framework.
- ‘national security, public interest, or law enforcement requirements’ had primacy over the Safe Harbor principles, meaning that US organisations receiving personal data must disregard those principles where they conflict with those requirements, thus enabling interference with the fundamental rights of the persons whose personal data is transferred from the EU to the US.
- The Safe Harbor Decision did not make any findings in relation to the existence of rules adopted by the US which were intended to limit any such interference and nor did it refer to the existence of effective legal protection against interference of that kind.
- The broad derogations in the Safe Harbor framework allowed US public authorities to access personal data in situations where it could not be considered strictly necessary for them to have access to it. The Court considered that permitting US public authorities to have such generalised access to personal data compromised the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter of Fundamental Rights of the European Union.
- There was a lack of effective legal redress for data subjects whose data is passed to US authorities by Safe Harbor-certified entities pursuant to these derogations. The CJEU considered that any framework which provided no possibility for an individual to pursue legal remedies in order to access personal data relating to him/her, or to obtain rectification or erasure of such data, compromised the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter.
What are the implications of the ruling?
The case itself has been sent back to the Irish Data Protection Commissioner, who will now examine whether in fact Facebook has offered its users in the EU adequate protection of their personal data, pursuant to the Data Protection Directive. If it decides that the protection in place is inadequate, it may order the suspension of Facebook’s transfer of data from the EU to the US.
However, the implications of this case stretch far beyond the impact on social media users. The decision of the CJEU has immediate effect and renders all transfers of personal data from the EU to the US on the basis of the Safe Harbor framework unlawful.
Who is affected by the ruling?
All organisations within the EU that are transferring personal data to US organisations in reliance on the Safe Harbor status of those organisation are affected by this ruling. The list of US organisations who have signed up to the Safe Harbor framework can be accessed here.
What do we need to do in light of this ruling?
Organisations who relied on the Safe Harbor framework will need to review their arrangements for transferring personal data to the US, and ensure that they put in place an alternative means of complying with the Data Protection Directive. Alternative arrangements must be considered on a case-by-case basis, but organisations affected by the ruling may wish to consider:
- Putting in place model clauses (in the form approved by the European Commission) with the US recipient (although in light of some of the reasons given by the CJEU for the invalidity of the Safe Harbor Decision it is not clear how long model clauses may prove to be a suitable alternative, particularly given the recent statement from the Article 29 Working Party – see below).
- Relying on a set of approved intra-group binding corporate rules to legitimise the transfer.
- Restricting the transfer of personal data outside the European Economic Area either by restructuring arrangements such that data processing is completed within the European Economic Area or anonymising the data that is transferred outside the European Economic Area.
In the meantime, negotiations on a revised Safe Harbor framework which were already underway before the CJEU ruling will undoubtedly continue with an increased sense of urgency. Waiting on the outcome of those negotiations is not however a legally robust solution for organisations affected by the judgment now.
Enforcement in the UK
It is the role of each Member State’s regulatory data authority to determine whether individual organisations are contravening data protection provisions in the way that they transfer personal data to the US. The Information Commissioner’s Office (ICO) is responsible for monitoring compliance in the UK, and has provided some reassurance to affected organisations. In a statement released on the same day as the CJEU decision, the Deputy Commissioner of the ICO, David Smith, recognised that it would take some time for organisations who had previously relied on Safe Harbor to review their approach to transferring data to the US. He stated that there are other means by which to transfer personal data to the US which comply with the DPA, and reassured organisations that the ICO would be offering further guidance for businesses over the coming weeks.
Enforcement in the EU
In light of the ruling, the Article 29 Working Party has issued a statement urgently calling for Member States and EU institutions “to open discussions with US authorities to find political, legal and technical solutions” to enable data transfers to the US “that respect fundamental rights”. In particular they have suggested that the negotiation of intergovernmental agreements could offer a solution, which could include the current negotiations concerning a revised Safe Harbor.
In the meantime, the Working Party has indicated that it “will continue its analysis on the impact of the CJEU judgment on other transfer tools”. This could indicate that they are also assessing the impact of the judgment on the EC model clauses.
Their statement however warns that if no solution has been found with US authorities by January 2016 and depending on the outcome of the assessment of the other transfer tools by the Working Party, that “EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions”. As such, organisations would be well advised to have implemented an alternative compliance solution to Safe Harbor by this date.