On 6 October 2015, the Court of Justice of the European Union (CJEU) handed down its judgment in the case of Schrems v Data Protection Commissioner (C-362/14). The CJEU has ruled that the US Safe Harbor is invalid. The judgment will have a sizeable impact given the large number of EU organisations that have relied on the Safe Harbor as a mechanism for the transfer of personal data to US organisations, particularly in the context of cloud computing. We have set out below a more detailed explanation of the decision and the steps organisations that have historically relied on the Safe Harbor mechanism should now take.
The European Data Protection Directive (Directive 95/46/EC), and accordingly the national laws that implement the Directive (in the UK, the Data Protection Act 1998 (DPA)), prohibit the transfer of personal data outside the European Economic Area, unless adequate protection is provided for the data or an exemption applies. In order to facilitate the transfer of personal data to the US from Europe in compliance with European data protection law, the European Commission adopted Decision 2000/520. This Decision held that the US Safe Harbor framework (comprising a set of voluntary principles and related FAQs) ensured an adequate level of protection for personal data transferred from Europe to organisations in the US that agree to comply with that framework.
The Court's decision in Schrems
Mr Schrems brought proceedings against the Data Protection Commissioner in Ireland in the Irish High Court as a result of the Commissioner’s refusal to investigate a complaint made by Mr Schrems concerning the transfer of his personal data by Facebook Ireland to Facebook's servers in the US. The Commissioner refused to investigate the complaint on the basis that the transfer was made pursuant to Safe Harbor arrangements and the Commission Decision described above.
The Irish High Court had concerns regarding the Commission Decision on Safe Harbor and therefore asked the CJEU to consider whether the decision prevented a data protection regulatory authority from itself being able to examine a complaint from a data subject that the laws and practices in the US do not ensure an adequate level of protection for personal data.
The CJEU held that a finding of adequacy (such as that in the Commission decision on Safe Harbor) does not prevent a regulatory authority from examining such a complaint (noting however that a regulatory authority could not itself declare a finding of adequacy invalid – only the CJEU has the power to do this).
Despite answering the questions referred to it, the CJEU went further to examine the Safe Harbor Decision itself, particularly in light of the recent Snowden revelations over the surveillance activities of the US intelligence agencies. It is the CJEU's decision in this regard that is of greater immediate impact to organisations. The CJEU found that the Safe Harbor Decision is invalid. Among other things, this was on the basis of the broad derogations from the Safe Harbor principles in connection with national security and law enforcement requirements which provided US public authorities with a means of access to personal data of European data subjects and the lack of effective legal redress for data subjects in that regard.
Where do we go from here?
The CJEU's finding is effective immediately and so the Safe Harbor mechanism adopted by Decision 2000/520 can no longer be relied upon to transfer personal data to US recipients. As such, organisations that transfer personal data to the US (whether directly or indirectly via subcontractors) under the Safe Harbor mechanism must review their existing arrangements and ensure that an alternative compliance solution is put in place. While each arrangement will need to be considered on a case-by-case basis, the following solutions should be considered:
- Putting in place model clauses (in the form approved by the European Commission) with the US recipient. We are aware of at least one major cloud service provider that has historically encouraged its customers to rely on its Safe Harbor certification and is now offering to enter into the model clauses with its customers.
- Relying on a set of approved intra-group binding corporate rules to legitimize the transfer. To date, relatively few organisations have implemented binding corporate rules and so the efficacy of this solution is likely to be limited.
- Restricting the transfer of personal data outside the European Economic Area either by restructuring arrangements such that data processing is conducted within the European Economic Area or anonymising the data that is transferred outside the European Economic Area.
It is also important to bear in mind that negotiations between the EU and the US on a revised version of the Safe Harbor scheme are progressing and, given the CJEU's decision, may now progress with increased urgency. Even though negotiations are well advanced, this is a solution that cannot be relied upon in the short term.
It is important to ensure that appropriate solutions are put in place as a matter of urgency to ensure compliance with the DPA and European data protection law. As far as the UK is concerned, we do not anticipate immediate enforcement action being taken by the Information Commissioner against organisations who now find themselves without the benefit of the Safe Harbor mechanism, provided those organisations are taking steps to implement alternative compliance solutions as a priority. The Information Commissioner’s statement in response to the judgment can be viewed by clicking here.
Our Data, Privacy and FOI team are on hand if you would like to discuss the contents of this briefing.
The full judgment in the case of Schrems can be obtained by clicking here.