Just two weeks after Advocate General Bot delivered his controversial recommendation that the Court of Justice of the European Union (CJEU) should find the Safe Harbor Decision (2000/520/EC of 26 July 2000) to be invalid, the court has handed down its judgment in Maximillian Schrems v Data Protection Commissioner (Case C-362/14), following the Advocate General’s recommendation.
Overnight, what had been a valid method of transferring data from the EU to the United States for more than 15 years, has now been declared immediately invalid and subject to further investigation by each of the EU Member States’ national data protection authorities with “all due diligence”.
The effect of the CJEU’s judgment is that any transfers of personal data between the EU and the United States that were previously conducted on the basis of the Safe Harbor regime are immediately invalid, unless an alternative method of achieving adequacy under the Data Protection Directive (95/46/EC) has been put in place.
The CJEU held that a decision by the European Commission (EC) “cannot eliminate or even reduce the powers available to [national data protection] authorities under the Charter of Fundamental Rights of the European Union and the data protection directive.”
In a press statement today (6 October 2015), EC officials did not make any specific mention of a grace period for businesses to put in place alternative measures, but promised a coordinated response to the situation from national supervisory authorities, and pointed to existing methods of establishing adequate protection under the EU regime. That leaves very few options for organisations seeking to transfer data from the EU to the United States.
Case facts Following the disclosures by Edward Snowden in 2013 about the systematic interception of data by U.S. intelligence services, Mr Schrems lodged a complaint with the Irish Data Protection Commissioner. His claim was that the practices of intelligence agencies in the United States had the effect of offering no real protection to his personal data while held there by Facebook.
Mr Schrems’ complaint was dismissed by the Irish Data Protection Commissioner, including on grounds that the EC decision on Safe Harbor Decision ensured an adequate level of protection for personal data transferred to the United States. The Irish Data Protection Commissioner believed that this decision prevented him from examining the issues raised in Mr Schrems’ complaint.
CJEU Judgment In its judgment of 6 October 2015, the CJEU has held, crucially, that the existence of a Commission decision “cannot eliminate or even reduce the powers available to the national [data protection] authorities under the Charter of Fundamental Rights of the European Union and the data protection directive.” Even if the Commission has adopted a decision, then supervisory authorities must be able to independently examine whether a data transfer complies with the requirements of the Directive.
Central to the CJEU’s decision was the observation that in the United States, requirements of national security, public interest and law enforcement prevail over the Safe Harbor scheme, so that United States’ authorities “are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them.”
Considerations for organisations relying on Safe Harbor Businesses can be affected by this decision in two primary ways: (i) companies certified to the Safe Harbor list will need to consider alternative legal mechanisms to legitimise data transfers (for example, Model Clauses, Binding Corporate Rules or, if appropriate, consent); and (ii) companies are likely to use vendors/suppliers that are certified to Safe Harbor. Thus, the effect of the decision could impact an organisation’s entire supply chain. Given the interconnected world in which we now all live, the consequences of this decision are enormous and are likely to have a huge economic impact.
In a press conference by the EC earlier today, the First Vice President Frans Timmermans confirmed the European Commission’s commitment to the continuation of trans-Atlantic data flows with adequate safeguards in place. Commissioner Věra Jourová stated that in lieu of Safe Harbor, the European data protection regime provides other mechanisms to allow for international transfers of data, in addition to individual consent, model clauses, and Binding Corporate Rules where data is being transferred under the Directive, including for:
- Performance of a contract requested by or for the benefit of an individual
- Public interest grounds
- Vital interests of the individual
Both the First Vice President and the Commissioner stated that the EC would provide guidance to national supervisory authorities, and would work closely with them to ensure a unified response.
Wider shockwaves? The CJEU’s judgment is, in this instance, concerned with the Commission’s Safe Harbor Decision. However, the judgment has the potential to instigate further cases of a similar type, as it has boldly stated that supervisory authorities are not prevented from investigating matters solely due to the existence of a commission decision. Commission decisions of adequacy currently exist in relation to 11 jurisdictions (excluding the Safe Harbor Decision). The case also leaves open the possibility of other methods of transferring data – including model clauses – being challenged on a similar basis in the future.
While the possibility exists for Binding Corporate Rules as well, since this is the only legal mechanism for transfers of data that are subject to approval by national data protection authorities and may be audited, this mechanism is unlikely to be challenged. Binding Corporate Rules, however, are not a quick fix as it can take up to 18 months or longer to get approval.
The full ramifications of this decision will only become clear over time. Right now, organisations are left in a bit of a no man’s land, and it is impossible to suspend transfers. Instead, the emphasis is on putting another legal method for transfers in place as quickly as possible, as the CJEU’s decision may encourage a greater appetite among the EU data protection authorities to investigate data transfers that had been previously relied upon as being adequate under Safe Harbor.
Safe Harbor’s reincarnation At the press conference, both the First Vice President and the Commissioner confirmed that the renegotiation of the Safe Harbor regime with the U.S. authorities would continue under the Umbrella Agreement. The Commissioner, however, did not give a concrete date for completion of these negotiations, and as the negotiations are also dependent on U.S. legislation, organisations should not wait for this Phoenix to rise from the ashes.