The Court of Justice of the European Union (CJEU) decided today to agree in large part with the Advocate General’s recommendation in the matter Schrems v. Facebook (Ireland), and invalidated the U.S./EU Safe Harbor mechanism for transferring data. Safe Harbor was first established in 2000 as an additional mechanism to transfer personal data from the EU to the U.S., provided that companies publicly agreed to Safe Harbor privacy principles (“Commission decision 2000/520). The enforcement for Safe Harbor non-compliance was set with the Federal Trade Commission; the FTC could also accept complaints from EU Data Protection Authorities (DPA).
In Schrems, the Irish DPA determined that he did not have the authority to review whether the Commission’s Safe Harbor decision was valid. The Irish High Court concurred, and therefore the CJEU took the case.
The CJEU takes the findings of the (non-binding) Advocate General recommendation in whole, including that the U.S. legal system has “systemic failures” in data protection because of national security programs revealed in June 2013 after a series of unauthorized disclosures of PRISM and other national security programs. However, the Advocate General’s opinion does not accurately describe PRISM and other national security programs as they operated in 2013, and despite indicating that his decision must take into account the regime as currently in operation, the Advocate General’s sweeping generalities are not accurate. (see, e.g., analysis of Advocate General recommendations by Peter Swire, member of the independent Review Group on Intelligence and Communications Technology, created by President Obama in 2013).
The CJEU did not perform an independent assessment of U.S. law, and in fact ignores that, in the European Union, no Member State DPAs have authority over national security issues.
The CJEU’s terse conclusion mirrors the Advocate General’s recommendation – that Member State DPAs have independent authority to determine whether the Commission’s underlying decision on adequacy (in this instance Safe Harbor) is legitimate, and that the Commission’s initial decision on Safe Harbor is invalid. On this second point, the CJEU uses the Commission’s own statements on Safe Harbor (including a 2013 report the EU Parliament) to conclude that there are adequate grounds to determine the U.S. has systemic failures in the Safe Harbor regime.
What does this mean for you? Unlike many CJEU decisions, there is no transition period, therefore the transfer of EU personal data under Safe Harbor authority is no longer valid. The other transfer mechanisms (including Model Contracts, consent, and Binding Corporate Rules) still exist. Even though the dicta in the CJEU decision suggests that all transfers to the U.S. may suffer from the same inadequacy, the other data transfer mechanisms were not before the CJEU in Schrems. The Safe Harbor 2.0 standards were almost concluded, but in light of this sweeping decision, that will need to be re-reviewed and may take a while to finalize. The interregnum period will be fraught with confusion, and potentially inconsistent application of law by Member State DPAs.