On October 6, 2015, the Court of Justice of the European Union (“CJEU”) declared that the US-EU Safe Harbour framework is invalid, striking it down in the highly anticipated case of Schrems v. Data Protection Commissioner. The decision is effective immediately, with far-reaching and widespread implications for entities with multinational data flows.
Since EU data protection laws purport to apply to the processing of personal data regardless of whether the individuals affected are EU citizens or not, or are physically present in the EU or not, the potential impacts of this decision go beyond those organizations with an EU clientele. Any organization that makes use of equipment located in a Member State to process personal data is potentially at risk.
Max Schrems, a law student and privacy advocate from Austria, initiated a case against Facebook in Ireland asserting that American mass surveillance programs (such as the NSA activity divulged by Edward Snowden) violated his privacy. The Safe Harbour framework permits major U.S.-based organizations to self-certify that they are providing an “adequate level of protection for privacy and fundamental rights and freedoms” in compliance with EU privacy laws.
While the Irish Data Protection Commissioner originally rejected the case on the basis that the European Commission had already found the Safe Harbour framework to be compliant, the High Court of Ireland referred the question of the legality of the Safe Harbour framework to the CJEU for consideration. Notwithstanding prior blessing from the European Commission, the CJEU concluded that the framework was incompatible with EU privacy norms.
Despite assertions that U.S. intelligence gathering is of a targeted, rather than a general, nature, the CJEU fundamentally disagreed. It found the original Safe Harbour Decision invalid on the basis that self-certifying organizations “are bound to disregard” fundamental privacy rights when they conflict with the national security and public interest requirements or domestic legislation of the United States. This finding thus renders illegal any transfer of personal data from the EU to the United States that is based solely on Safe Harbour self-certification.
The CJEU’s ruling is final, with no avenue for appeals.
The CJEU’s decision, unlike many major decisions with far-reaching implications, has no transition period to allow for phased-in implementation; it is effective immediately. Since many Canadian businesses have relied on service providers self-certifying under the Safe Harbour framework for cloud-based data storage operations, their operations may be significantly impacted, particularly for national or multinational organizations or organizations that make use of a cloud network with EU and US servers. While negotiations between the US and EU on a new Safe Harbour framework have been underway for some time, there is no guarantee that the end result will be a new framework, or if it is, that such a framework would survive the scrutiny of the court.
Since Article 4 of the EU Data Protection gives EU data protection authorities jurisdiction when a “controller” is not established on EU territory if the controller “makes use of equipment, automated or otherwise, situated on the territory of [a] Member State”, the Schrems decision could also apply to any organization using a cloud network with EU and US-based servers, even if the personal information connects to Canadian or U.S. residents.
In addition to the immediate ramifications related to finding and implementing alternative options to the Safe Harbour framework, the decision raises the question as to whether Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and EU-Canada data transfers may be in line for similar treatment given the similar ability of Canadian authorities to access networked information on a national security basis.
Since the Safe Harbour method has been struck down, organizations will need to swiftly assess alternative options for data transfers. These mechanisms include Model Clauses, Binding Corporate Rules, anonymization, and express consent. The Model Clauses approach uses a standard, pre-approved form language, approved by the European Commission, for data transfers, while the Binding Corporate Rules approach requires the crafting of a binding policy governing related internal entities making international data transfers. The Binding Corporate Rules approach is time-consuming, and is limited in application due to a failure to encompass the external entities often used in the regular course of business. Model Clauses are also time consuming, extremely rigid, and subject to audit. While these approaches present alternative mechanisms, albeit with some limitations, there exists speculation that they too could be subject to attack, especially given the basis upon which the Schrems decision was made. Other approaches include obtaining express consent, which must be prior, unambiguous, and voluntary. The problem with express consent arises in that, since consent must be both prior and informed, from a practical implementation perspective it will be almost impossible to obtain such consents in relation to personal information that has already been collected and potentially very difficult to manage on a going-forward basis. At this particular point in time, no alternative stands out as both viable and desirable for all circumstances. A careful assessment must be made of the alternative options taking into account the needs of the organization and its service providers.
What Canadian Business Needs to Know
The decision by the CJEU to strike down the Safe Harbour framework, effective immediately, requires that affected organizations swiftly assess alternative approaches to data transfers. Given that thousands of entities relied on Safe Harbour, the ramifications of the decision for Canadian businesses may be significant. While alternative approaches to data transfers do exist, each raises complex issues related to implementation.