On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated the decision underlying the European Union’s (EU) safe harbor structure for cross-border data transfers from the EU to the United States in Schrems v. Data Protection Commissioner of Ireland (Schrems). Shortly following the CJEU’s decision, the Article 29 Data Protection Working Party (Working Party) issued a statement outlining its views as to the consequences of the CJEU decision in Schrems. The decision may directly impact Canadian businesses which transfer data from the EU to the United States or which host data in the United States.
Safe Harbor and Schrems
Under the EU Data Protection Directive, personal information of EU citizens can only be transferred from the EU to countries with adequate data protection standards. Safe Harbour, which was negotiated between the European Commission and the United States Department of Commerce, was one of a number of mechanisms available to EU companies to ensure there was an adequate level of protection when transferring personal data of EU citizens to the United States. To benefit from Safe Harbour, a company was required to self-certify to the United States Department of Commerce that it complied with specified EU privacy standards.
In Schrems, the CJEU declared Safe Harbor invalid. The CJEU held that ensuring an adequate level of data protection for EU citizens, as is required by the EU Data Protection Directive, means providing “a level of protection of fundamental right and freedoms that is essentially equivalent to that guaranteed within the European Union.” The CJEU found that Safe Harbor failed to meet this standard since it did not prohibit the United States government from collecting and examining the personal information of EU citizens.
The Working Party’s Opinion
The Working Party is an advisory board consisting of EU data protection authorities and was created pursuant to the EU Data Protection Directive. The views of the Working Party are typically followed by EU regulators.
On October 16, 2015, the Working Party issued a statement which noted that it was still considering Schrems and acknowledged the uncertainty Schrems has created. The Working Party confirmed that certain other mechanisms permitting the transfer of EU citizens’ personal information to the United States will remain valid, such as the “Standard Contractual Clauses and Binding Corporate Rules”. However, the Working Party noted that this will not prevent EU data protection authorities from investigating individual cases.
The Working Party emphasized the need for EU data protection authorities to have a “robust, collective and common position” to successfully implement Schrems. The statement adopts the position that the core element to Schrems was the issue of massive and indiscriminate surveillance in the United States, which the Working Party previously stated is incompatible with EU law.
In addition, the Working Party called on EU member states and institutions to enter discussions with the United States in order to find political, technical and legal solutions to enable transfers of personal information to the United States, while respecting the fundamental rights of EU citizens. The Working Party stressed the need for “clear and binding mechanisms”, as well as “obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights”.
In light of Schrems and the Working Party’s statement, it is likely that any future decisions by EU data protection authorities with respect to adequate levels of protection under EU safe harbour rules will include an analysis of the laws and agreements regarding data transfer of the country to which EU citizens’ personal information is being transferred. It will be worthwhile to monitor future decisions of EU data protection authorities and whether they call any other safe harbour structures into question.
Canadian businesses which rely on Safe Harbour to transfer personal information of EU citizens from their operations in the EU to the United States or which host personal information of EU citizens with service providers operating in the United States should promptly work to adopt one of the alternative means available to comply with the EU Data Protection Directive.