The Court of Justice of the European Union (“CJEU”) has delivered its much anticipated ruling in the case of Schrems v Data Protection Commissioner.
On the substantive questions referred to the CJEU from the Irish High Court in that case, the CJEU has followed the recommendations set out in Advocate General Bot’s Opinion of 23 September 2015 (summarised in our article here), finding, in essence, that the existence of Commission Decision 2000/520/EC (approving the Safe Harbor scheme) does not prevent the Irish Data Protection Commissioner from investigating a claim as to the adequacy of the level of protection for personal data transferred by Facebook under that scheme to the United States.
More significantly, the CJEU has also followed AG Bot’s recommendation that Decision 2000/520/EC (ie the Safe Harbor scheme) be declared invalid.
Safe Harbor was a framework agreed between the United States and the European Commission whereby personal data could (until the CJEU’s ruling on 6 October), be transferred to the United States without contravening the general prohibition under EU data protection law on the transfer of personal data outside of the European Economic Area (“EEA”), to countries which are deemed not to provide an adequate standard of protection for personal data.
It is estimated that more than 4,000 organisations are signed up to the Safe Harbor scheme. It is important to bear in mind that this ruling affects not only EU-based data controller organisations who directly transfer individuals’ data to US-based group companies or service providers in reliance on Safe Harbor, but also EU-based organisations who use service providers that rely on Safe Harbor to transfer data to their parent companies/service providers in the US.
Schrems v Data Protection Commissioner will return to the Irish High Court to be determined in light of the CJEU’s ruling. In the meantime, however, it is clear that Safe Harbor can no longer be relied upon as the basis for transferring personal data to the United States. Any ongoing or intended transfers will need to be based on one of the alternative grounds for transferring personal data outside of the EEA. These include:
- entering into data transfer agreements, based on the EU Commission approved “Model Clauses” with the US entity to which personal data is to be transferred; or
- (in the case of multinational organisations) putting in place “binding corporate rules” (ie rules agreed between members of the corporate group which facilitate the transfer of personal data from group companies based in the EEA to group companies located in countries such as the United States which are not deemed to provide an adequate level of protection for personal data); or
- relying on the consent of the person whose personal data is to be transferred (reliance on consent is, however, generally not recommended, as “consent” for the purposes of data transfer must be unambiguous, freely given and informed, which can be difficult to demonstrate in practice, particularly in the case of employees).
The European Commission, in a statement released after the ruling, indicated that it is continuing to work with the United States authorities to develop a renewed and safe framework for the transfer of personal data to the United States, and that it intends to issue clear guidance for national data protection authorities on how to deal with data transfer requests to the US in the light of the CJEU’s ruling.