Dramatic CJEU ruling declares the Decision which underpins Safe Harbor invalid.

What’s the issue?

EU data protection law prohibits the transfer of personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. One of the ways certain US organisations can demonstrate an adequate level of protection is by signing up to the Safe Harbor principles, a self-certification standard operated by the US Department of Commerce and enforced by the FTC.

In light of the Snowden revelations about mass surveillance of EU personal data, an Austrian individual filed a complaint against Facebook Ireland objecting to the fact that its servers are located in the USA on the basis that the USA offers no real protection of EU citizen data against State surveillance.

The Irish Data Protection Commissioner considered he was not required to investigate the complaint because Decision 2000/520 (Decision) of the European Commission which, in essence, validates Safe Harbor, was binding and precluded him from doing so. The Commissioner’s decision was referred for Judicial Review to the High Court which stayed proceedings and asked the Court of Justice of the European Union (CJEU) to rule on whether, in the light of EU law, the Irish Data Protection Commissioner was absolutely bound by the Decision.

In a non-binding Opinion, Advocate General Bot (AG) recommended that the CJEU find:

  • EU national regulators have the power to “look behind” Safe Harbor and suspend the transfer of data under Safe Harbor if they think the data is not being protected adequately as required by the EU Directive; and
  • The Decision establishing Safe Harbor under EU law is invalid because of the lack of protection for EU personal data in the US.

The Opinion caused huge consternation and uncertainty for organisations signed up to Safe Harbor as it put the legal foundation for the transfer of such personal data from the EU to theUSA under serious question. As Safe Harbor is currently under renegotiation and a new General Data Protection Regulation (GDPR) is pending, the AG’s Opinion was unexpected by many.

What’s the development?

In a highly unusual move, the CJEU handed down judgment within a fortnight of the Opinion (rather than the usual four to six months). The judgment follows the AG Opinion in finding that a regulator cannot be prevented from examining a complaint by virtue of a Commission decision and, crucially, that the Decision is invalid. In other words, the Safe Harbor Principles are no longer presumed to afford an adequate level of protection of personal data.

This means the Safe Harbor principles will no longer bind Member State data protection authorities to allowing transfers of personal data to the US. Any transfer of personal data to the USA based on Safe Harbor will, therefore, potentially be subject to investigation by the regulators and to possible enforcement action.

What does this mean for you?

We expect several Member State regulators to suspend data transfers based on Safe Harbor. If you export personal data to a US entity signed up to Safe Harbor or if your organisation is signed up to Safe Harbor, you will need to find another compliance route. The good news is such routes exist (for now), the bad news is that, for most companies, they take time and money to put in place.

Binding Corporate Rules (which are relevant only to intra-group transfers) can take a year or more to get regulator approval. Model contract clauses should be relatively straightforward to get signed (although compliance may be brought sharply into focus). However, some Member States require model clauses to be filed and even approved by regulators and that takes time. Getting the consent of data subjects to the export of their data is another possibility but many jurisdictions regard true consent as very difficult to achieve, especially retrospectively. There are also derogations where the transfer is necessary for the performance of a contract or where there is an element of necessity, in the public interest or in the vital interest of the data subject. All of these are high hurdles to pass; in other words, there is no quick and easy fix to the loss of Safe Harbor.

What happens now?

The case in question has been referred back to the Irish Data Protection Commissioner for investigation, at the end of which the Irish regulator may decide whether or not to suspend data flows between Facebook Ireland and Facebook USA. This means that the CJEU has stopped short of suspending data flows itself but has passed the matter back to regulators. The ‘rubber stamping’ of data transfers under Safe Harbor has gone but data flows can only be suspended by regulators. The implication though, is that in the face of an investigation, if Safe Harbor is the only data export mechanism, the regulator is likely to find that protection is not adequate and to suspend the data transfer.

The prospect of mass enforcement action by all Member State regulators against every US company signed up to Safe Harbor, but without another compliance mechanism in place, looks far-fetched, and we would expect the more pragmatic regulators to allow companies time to re-organise their compliance programmes. The ICO has already confirmed that it will take this approach. In countries like Germany where Safe Harbor has long been regarded with suspicion the regulators may not be so generous – they may feel concerns about Safe Harbor have been well flagged and so businesses should be prepared for alternative arrangements by now. The Article 29 Working Party, comprised of European data protection regulators, is due to comment on the judgment shortly.

It must be said that the CJEU judgment indirectly casts doubt on the use of BCRs and model clauses for data export to the US. While there is nothing to prevent them being used at the moment, if they were to become subject to judicial review, there is a risk that they will suffer a similar fate to Safe Harbor although this is unlikely to happen immediately. The most practical solution for some might, therefore, be to move their data centres to Europe which could help resolve issues. It is to be hoped that before other dramatic events take place, two things will have occurred: the EU will have reached a new agreement with the US around data export; and it will have passed the GDPR. The second option is quite likely. We expect the GDPR to be agreed in the early part of next year (see our Global Data Hub articles on the progress of theGDPR and, specifically, on the approach to data exports. Whether or not a US agreement is achievable is less certain. There will be tremendous commercial will to agree a successor to Safe Harbor but the two outstanding issues are access to EU data by US law enforcement authorities, and the fact that there is currently no right to legal redress for EU citizens in theUSA (although a Bill to change this has been introduced to Congress).

The key message to businesses for now is to ‘get on it’ immediately; organisations which are slow to react and are seen to be doing nothing risk attracting regulator attention. Some US companies have already moved away from Safe Harbor as a compliance mechanism as it has been under scrutiny for some time and particularly since the Snowden revelations. Now others will have to follow.

Find out more about what this means for data transfers outside the EEA

Please do contact us if you would like to discuss the implications of this ruling. In addition, Taylor Wessing will be holding a webinar on 20 October to discuss data exports in light of thisCJEU decision and the recent CJEU ruling in the Weltimmo case (see below).

You can also find general information about data transfers on our Global Data Hub here.

Read more about the judgment

The CJEU followed the AG’s reasoning in determining that the Decision did not prevent regulators from investigating complaints although it introduced some new aspects to assessment of the validity of the Decision.

Powers of the regulators and interaction with the Decision

  • The CJEU agrees with the AG that national regulators have co-competency with the Commission to determine that a third country does not ensure adequate protection for data protection purposes. Regulators must have independent powers to investigate any complaints. If they find there is no justification for a complaint, the complainant must have access to judicial review. If the regulator finds there are grounds for complaint, they must also be able to apply to Member State courts for judicial review and those courts must stay the action and make a reference to the CJEU.
  • If, as in this case, there is a Commission decision which determines a country does have adequate protection, the regulator is bound by it and until such time as it is declared invalid, the regulator cannot adopt measures which are contrary to it.
  • This means that in order for a regulator to take action following an investigation into the adequacy of the data protection provisions of a third country where a decision establishes adequacy, that decision must be declared invalid. Only the CJEU can do this, acting on a reference from a Member State court which the court should make where it considers that one or more grounds for invalidity are well founded.

Validity of the Decision

  • The CJEU goes on to say that given the doubts expressed by Schrems which the referring court appears to share about the validity of the Decision, the CJEU needs to examine whether the Decision complies with the requirements of the Data Protection Directive (Directive) read in the light of the Charter on Fundamental rights (Charter).

Article 1 of the Decision

  • The wording of the Directive (Article 25(6)) requires that a third country ensure an adequate (which the CJEU takes as meaning equivalent to EU) level of data protection by reason of its domestic law or international commitments. This means the Commission is obliged to assess the content of applicable rules in that country resulting from its domestic law or international commitments and the practice designed to ensure compliance when examining the level of protection provided.
  • The Commission is also required to review an adequacy decision regularly and in any event where there is evidence which casts it in doubt.
  • The Decision considers only the adequacy of protection provided in the USA under the Safe Harbor principles implemented in accordance with the FAQs with a view to meeting the requirements of the Directive, without making sufficient findings about the extent to which the USA ensures an adequate level of protection by reason of its domestic law or international commitments.
  • The applicability of Safe Harbor principles may be limited by reasons of national security etc. This is such a general derogation that it does not comply with the EU principles of proportionality and necessity and there is no way for an individual to pursue legal remedies. There is no provision under US law which enables assessment of necessity or limits the use of EU personal data so it is impossible to assess proportionality. The Commission itself has argued that this means an adequate level of protection is not ensured.
  • The CJEU says, however, that it is not even necessary to consider the content of the Safe Harbor principles. It is the fact that the Commission’s assessment of adequacy is based on them, rather than on domestic law or international commitments, which renders Article 1 of the Decision invalid.

Article 3 of the Decision

  • The CJEU then goes on to consider Article 3 of the Decision. Article 28 of the Directive read in conjunction with the Charter, gives regulators the power to examine independently any claim about the protection of a person’s rights and freedoms around the processing of his personal data. This is particularly true where a person raises questions regarding the compatibility of a Commission decision on adequacy of a third country’s protection. However, that power is restricted under Article 3(1) of the Decision. The Commission exceeded its power when making the restriction and so Article 3 of the Decision is invalid.

As Articles 1 and 3 of the Decision are inseparable from the rest of the Decision, the entire Decision is invalid.