Recently the European Court of Justice (the ECJ) rendered a decision invalidating the Safe Harbor Framework between the European Union (the EU) and the United States which allowed organizations to transfer personal data from EU member states to the United States. The decision has resulted in significant uncertainty for the 4,500 organizations that relied on the agreement who will now need to implement alternatives for the transfer of personal data that comply with the ruling.
In 1998, the European Commission (the EC) implemented the Data Privacy Directive which prohibits the transfer of personal data to non-EU countries that do not meet the EU’s “adequacy” standard for privacy protection. In 2000, following negotiations between the EC and the United States and the issuance of EC decision 2000/520, the Safe Harbor Framework came into force. It allowed an organization to transfer personal data from the EU member states to the US, so long as it self-certified that it complied with the principles of the Safe Harbor Framework.
Max Schrems, an Austrian citizen, challenged Facebook’s cross-border data transfer practices before the Irish Data Protection Authority (the DPA). He claimed that personal data transfers from Facebook Ireland to Facebook U.S. under the Safe Harbor Framework were not afforded “adequate protection,” as required pursuant to the directive. He relied on the revelations by Edward Snowdon that the US government had engaged in mass-surveillance programs that may have included personal data of EU citizens.
The Irish DPA refused to investigate the claim whereby Schrems brought an action before the Irish High Court. The court stayed the proceedings and referred the matter to the ECJ.
The ECJ found that EC decision 2000/520 is invalid. Specifically, the ECJ determined that the Safe Harbor Framework flowing from EC decision 2000/520 did not allow for adequate protection since (i) it allows US agencies to broadly access the personal data of EU citizens transferred to the US; (ii) those EU citizens lack legal remedies to seek access to their data or to obtain rectification or deletion of such data; and (iii) these deficiencies do not provide the level of protection of fundamental rights that are equivalent to those guaranteed by the EU.
The ECJ also found that the existence of an EC decision that ensures an adequate level of protection of the personal data transferred to a non-EU country (such as EC decision 2000/520) cannot eliminate or reduce the powers available to DPAs under the Charter of Fundamental Rights of the European Union and the directive. Accordingly, DPAs are not prevented from examining claims of persons who contend that the law and practices of countries to whom their personal data have been transferred (from an EU member state) do not provide for an “adequate” level of protection.
This decision is noteworthy for several reasons. First, given that the decision had immediate effect, it left approximately 4,500 organizations who rely on the Safe Harbor Framework to look for alternatives that are compliant with the EC’s directive.
Second, the decision highlights the underlying policy tension that governments face when balancing the need to protect the personal information of its citizens versus giving law enforcement agencies the ability to access personal data in the broader national security context. The irony in this decision is that, even in EU Member States, laws exist for government scrutiny of personal data without the data subject’s consent (e.g., the UK’s 1994 Intelligence Services Act allows UK secret services to conduct surveillances similar to those by the NSA that were the basis for Mr. Schrem’s complaint). Therefore, by this decision, non-EU countries are effectively being held to a higher standard.
Third, we note that Canada is one of the 11 countries recognized by the EC as having “adequate protection” mechanisms for protecting personal data. As the US and EC explore the possibility of implementing an amended Safe Harbor Framework that can withstand legal scrutiny, Canada may be an attractive alternative for companies that need to transfer personal data of EC residents to North America, at least until a there is a successful complaint challenging Canada’s status as affording an adequate level of protection.
The contribution of Noah Leszcz, articling student, in the preparation of this article are gratefully acknowledged.