Lawful transfers of data from the EU to the USA have become a concern following the Schrems decision on 6 October 2015. (Maximilian Schrems v Data Protection Commissioner in the Court of Justice of the European Union (“CJEU”)).
The decision should not have been a huge surprise given that the European Parliament voted almost unanimously to suspend Safe Harbor, the arrangement which allowed the transfer of personal data from any EU country to the US without breaching EU rules on data exports, in March 2014. “USA NSA: stop mass surveillance now or face consequences, MEPs say” was the headline on the European Parliament’s press release at the time.
As a result of the decision, any data transfers that are still taking place under the Safe Harbor are unlawful.
The reason for the decision was that the CJEU agreed with Schrems’ key contention that USA law and practice do not adequately protect the fundamental privacy rights of EU citizens.
The two problems with US law are stated clearly in paragraphs 94 and 95 of the judgment:
First, legislation permitting US public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right for private life, as guaranteed by Article 7 of the Charter of Fundamental Rights.
Second, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or to obtain the rectification or erasure of such data does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter of Fundamental Rights.
Binding Corporate Rules (“BCRs”) and EU model clauses have not yet been held to be unlawful, but, in due course may follow the same fate as Safe Harbor for the same reasons. As one of the most highly regarded experts in the field has observed: “All personal dataflows between Europe and the US may be deemed to be unsafe and hence unlawful”.
The Article 29 Working Party (composed of representatives from the national data protection authorities of the EU Member States) is giving until January 2016 for “an appropriate solution” to be found with the US authorities and to assess all the existing transfer tools in light of the Schrems decision. If no solution is found by then the Article 29 Working Party says that the EU data protection authorities are“committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
UK Information Commissioner, Christopher Graham, has called for“cool heads”, emphasised the need to keep “a sense of proportion” and has made clear that the Information Commissioners Office intends, as always, to be reasonable.
There are strong imperatives for reaching agreement (such as preserving EU jobs and Europeans' love of American technology) but a fairly fundamental battle of ideology is at play here. Is this decision sabre rattling/part of the EU’s negotiation strategy? Possibly. What is clear, however, is that achieving a political solution which strikes a fair balance between the interests that require free movement of personal data and the fundamental right to privacy will be no mean feat.