On 6th October the Court of Justice of the European Union issued its decision in the case brought by Maximilian Schrems against Facebook (Judgment in Case C-362/14 Maximillian Schrems v Data Protection Commissioner). The mechanism used by more than 5000 US corporations and relied upon by tens of thousands of EU data controllers to allow lawful transfers of personal data to the US is now declared invalid!
The official press release says, “Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity.”
The EU Data Protection Directive (95/46/EC) provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. The Directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Finally, the directive provides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive (‘national supervisory authorities’).
Some years ago the Department of Commerce negotiated a Safe Harbor framework with the European Commission by which US corporations who self certified, with the Federal Trade Commission (FTC), adherence to seven data privacy principles, would be deemed “safe” to receive transfers of personal data from businesses in the EU.
Safe Harbor does not apply to the Banking and Financial Services sector as it is not regulated by the FTC, but even so many US corporations use Safe Harbor as a data transfer solution. Data centres, third party vendors and social media companies are typical users of Safe Harbor.
Facebook uses Safe Harbor and some while ago Max Schrems obtained information from Facebook that they were sharing his personal data with security agencies in the US, which he regarded as a breach of his rights under applicable data protection laws. To cut a long story short he asked the Irish Data Protection Commission to investigate Facebook (as Facebook is a data controller in Ireland) for unlawfully processing his data in the US in breach of their Safe Harbor certification. The Irish Data Protection Commission did not feel that it had the authority to question Safe Harbor.
The official press release says “Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that in a decision of 26 July 20002 the Commission considered that, under the ‘safe harbour’ scheme, the United States ensures an adequate level of protection of the personal data transferred (the Safe Harbour Decision).”
The CJEU was asked to rule on the validity of Safe Harbor and in particular whether it overrode the power of a Data Protection Authority to investigate a complaint over a breach of the principles of Safe Harbor.
The CJEU found that the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court held that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way.
For all those reasons, the Court declared the Safe Harbour Decision invalid.
What now you ask? Well as Safe Harbor is invalid then if your EU business relies on Safe Harbor to transfer personal data to a US corporation that transfer is unlawful! Here is our plan of action:
- Check if your business is certified for Safe Harbor
- If it is, check if you have registrations in place with EU Data Protection Authorities for your EU entities that state you use Safe Harbor. If you do, you will have to rethink!
- Look at moving from Safe Harbor to either Model Contracts or Binding Corporate Rules to adduce adequacy of rights in respect of personal data transfers
- Audit any contracts you have with third party vendors who use Safe Harbor. If you have any, you will need to insist those vendors execute Model Contracts (controller to processor model clauses)
- Don’t panic, but don’t do nothing!
- The Data Protection Authorities will expect you to start a process of compliance but will understand that it may take a while to make it to any port in a storm.