You will no doubt have heard the headlines that the ECJ has given its preliminary ruling to the Irish High Court that Article 1 of the Commission Decision 2000/520/EC which provided that adequate protection conferred by US companies under the Safe Harbor Principles, is invalid.

In legal terms, this news has really hit the headlines and provided the scare mongerers with ammunition that ‘our data is no longer safe’, ‘unauthorised disclosure is abundant’ …. the sky, or at least the Cloud in the US, is falling in etc.

But what does this mean in practical terms – in the level headed world of real life data transfers which are unused to salacious gossip and spontaneous outbursts of emotive angst.

What is this all about?

Maximillian Schrems is an Austrian Facebook subscriber living in Austria. He is also a well known champion of data protection rights. In June 2013, he made a complaint to the Irish Data Protection Commissioner (DPC) by which he asked the DPC to exercise its powers to prevent Facebook Ireland from transferring his personal data to the US on the basis that US law and practice did not ensure adequate protection of the personal data against the mass surveillance of data carried out by the public authorities. This apparently stems from the revelations made by Edward Snowdon in 2013. It transpires that, at the time of registration, all Facebook subscribers living in the EU consent to some or all of their personal data being transferred from Facebook Ireland to servers of the parent company Facebook Inc in the US, where it is processed. Many of us are not even aware of this permission. Sadly for Facebook, Mr Schrems was.

The DPC took the view that it was bound by the European Commission’s findings in Decision 2000/520 that Safe Harbor ensured adequate protection.

Mr Schrems brought an action before the High Court challenging the decision. The Irish High Court found that whilst there was an undeniable public interest argument regarding the electronic surveillance and interception of personal data transferred from the EU to the US, the revelations made by Edwards Snowden had demonstrated a “significant over-reach” on the part of federal agencies that did not adhere to EU Data Protection Principles.

What is Safe Harbor?

The Safe Harbor Principles offer US companies the opportunity to self-certify Safe Harbor data protection standards, principles and procedures. Decision 2000/520 declared that the Safe Harbor Principles provide an adequate level of protection which satisfies, in UK terms, the requirements of Principle 8 of the Data Protection Principles in Schedule 1 of the Data Protection Act 1998. For companies with subsidiaries or trading partners in the US, the Safe Harbor scheme was designed to reduce the administrative burden of complying with the Data Protection Directive and to ensure that data flows to Europe are uninterrupted.

What is the ECJ concerned about?

Article 25(1) of the European Data Protection Directive 1995 (Directive) provides a general prohibition against the transfer of personal data of an EU Member State for processing outside of the EEA unless the recipient country can ensure an ‘adequate level of protection’ in respect of that data.

The ECJ highlights that in order to ascertain under Article 25(6) of the Directive whether a third country provides an adequate level of protection of personal data the Commission must consider all the circumstances surrounding a data transfer operation on the basis of the non-exhaustive list of criteria set out in Article 25(2). In particular, the Commission must establish whether the third country ensures an adequate level of protection by reason of its domestic law or its international commitments.

The ECJ held that in this context the word “adequate” must be understood as requiring a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU.

The Court made it clear that in view of the important role played by the protection of personal data in the light of the fundamental rights set out in Articles 7 and 8 of the Charter, and the large number of persons whose rights are liable to be infringed by a data transfer to a jurisdiction that does not provide adequate protection, the Commission’s discretion as to the adequacy level ensured by the third country is necessarily reduced.

Why has the ECJ declared Decision 2000/520 ‘invalid’?

The ECJ considered in detail the Commission’s view, expressed in Decision 2000/520, that the Safe Harbor principles ensure an adequate level of protection for data transfers from the EU to US companies that have signed up to the Safe Harbor framework. In particular, the Court reviewed whether the system of self-certification by US organisation was sufficient to comply with the requirements or Article 25(6) of the Directive.

The Court found that in the present case the following issues arise:

  • The Safe Harbor principles are applicable solely to self-certified US organisations receiving personal data from the EU, whereas US public authorities are not required to comply with them.
  • Decision 2000/520 does not contain sufficient findings regarding the measures by which the US ensures an adequate level of protection by reason of its domestic law and international commitments.
  • The applicability of the Safe Harbor principles may be limited “to the extent necessary to meet national security, public interest, or law enforcement requirements”. Where US law imposes a conflicting obligation, US organisations, whether subject to the Safe Harbor principles or not, must comply with US law. This means that in essence (US) national security, public interest, or law enforcement requirements have primacy over the Safe Harbor principles. In practice, Decision 2000/520 therefore enables interference by US public authorities with fundamental rights of the persons whose data is transferred to the US under the Safe Harbor framework.
  • Decision 2000/520 does not contain any finding regarding the existence of rules adopted by the US intended to limit any interference with the fundamental rights of those persons, nor does it refer to the existence of effective legal protection against interference of that kind. Like the Advocate General, the ECJ observes that the procedures before the Federal Trade Commission and the private dispute resolution mechanisms affected persons can employ under the Safe Harbor arrangement solely concern compliance by the self-certified organisations. They cannot be applied in disputes relating to the legality of interference by US public authorities and security and law enforcement agencies with fundamental rights. What is the impact of this decision?

In reality, there was always a very limited take up under Safe Harbor by the US corporations. Signing up to the principles was never mandatory and compliance was self-certified on an annual basis. So in practical terms, many companies may not even have relied on the Safe Harbor Principles in the first place. If you have other methods governing the lawful transfer of personal data to the US then nothing will change. It is only companies that previously relied on Safe Harbor registration to transfer personal data from Europe to the US that will need to adopt alternative processes or risk non-compliance with the European Data Protection Directive 1995.

The decision has drawn criticism from some commentators for creating uncertainty, risk and cost for businesses, whilst others have welcomed the outcome as a strengthening of the privacy protections of European citizens.

What do we do going forward?

All companies will now want to assess whether these represent a viable legal or practical alternative. Safe Harbour is not the only method by which companies can lawfully transfer personal data to the US (and indeed other territories outside the EEA) and many companies also make use of the procedures known as binding corporate rules (BCRs) or ‘model clauses’, which are standard sets of data transfer terms approved by the European Commission as offering adequate safeguards for the purposes of the Directive. Such terms can be incorporated into data transfer agreements or signed up to as a standalone set of terms.