On October 6, 2015, the Court of Justice of the European Union (CJEU) issued a highly anticipated judgment that has the potential to impact how thousands of companies transfer data from the EU to the United States. The Court’s decision effectively invalidates the European Commission’s “adequacy” determination with respect to the U.S.-EU Safe Harbor Framework, which was established in 2000 as a mechanism to allow for the lawful transfer of EU citizens’ personal data to the U.S.
The ruling comes on the heels of a recent controversial opinion from the CJEU’s Advocate General, Yves Bot, who called for a suspension of the Safe Harbor Framework in light of findings regarding the U.S. government’s widespread collection of personal data and the lack of judicial redress available for EU citizens affected by such activities.
Following the 2013 Snowden revelations concerning the scope of U.S. government access to personal data, Max Schrems, an Austrian citizen and Facebook user since 2008, lodged a complaint with the Irish data protection authority (the DPC) with respect to Facebook’s transfer of his personal data from Facebook’s Irish subsidiary to Facebook in the United States.
The Irish DPC rejected Schrems’ complaint on the grounds that Facebook’s transfers were permitted pursuant to the U.S.-EU Safe Harbor Framework. Schrems then challenged that decision before the Irish High Court, which ultimately stayed its proceedings and applied to the CJEU for a determination regarding whether the Irish DPC (and other EU data protection authorities) could investigate claims concerning the validity of the European Commission’s adequacy determination pertaining to the Safe Harbor Framework.
The CJEU’s October 6 Judgment
Key points from the CJEU’s judgment:
- The CJEU decided that the Irish DPC could investigate claims of this nature and conduct its own investigations, but reinforced that, in the interest of guaranteeing legal certainty with respect to the application of EU law, “the Court alone has jurisdiction to declare that an EU act, such as a Commission decision adopted pursuant to Article 25(6) or Directive 95/46, is invalid.” (¶61)
- The CJEU considered the European Commission’s decision concerning the adequacy of the Safe Harbor Framework (Decision 2000/520) which explicitly states that U.S. considerations of “national security, public interest, or law enforcement requirements” have primacy over Safe Harbor principles (¶86), and noted that there is no finding in Decision 2000/520 that the U.S. has adopted rules ”intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States.” (¶88)
- The CJEU invalidated Article 1 of Decision 2000/520 because it permits “public authorities to have access on a genralised basis to the content of electronic communications” (¶94) and does not provide “for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data” which “does not respect the essence of the fundamental right to effective judicial protection.” (¶95)
- The CJEU also invalidated Article 3 of Decision 2000/520, because it contains specific rules regarding the powers of national data protection authorities in light of adequacy determinations made by the European Commission (¶100), thereby improperly restricting the DPAs’ powers in this regard as set forth in Article 28 of Directive 95/46. (¶¶101-103). Finally, because Articles 2 and 4 of Decision 2000/520 are inseparable from Articles 1 and 3, the CJEU concluded that the entirety of Decision 2000/520 is invalid.
Key excerpts from the CJEU’s press release concerning its judgment include:
- “…a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities…”
- “The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons” without any “rules intended to limit any such interference” or “effective legal protection against the interference.”
- “…the Safe Harbour Decision denies the national supervisory authorities their powers where a person calls into question whether the [European Commission’s] decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.”
At this time, the practical implications of the CJEU’s judgment remain unclear for companies that currently transfer personal data from the EU to the U.S. under the Safe Harbor Framework. Other data transfer mechanisms, such as Binding Corporate Rules and Standard Contractual Clauses, may offer appropriate alternatives for certain entities.
The CJEU’s judgment returns Mr. Schrems’ complaint to the Irish DPC for evaluation of whether transfers of EU Facebook members’ personal data to the U.S. should be halted in light of the CJEU’s finding that the United States does not provide an adequate level of protection for such data and the Safe Harbor Framework is not a valid mechanism for such transfers.
Several hours after the CJEU’s judgment was published, Federal Trade Commission Chairwoman Edith Ramirez issued a statement regarding the decision, indicating that the FTC is “reviewing the European Court of Justice’s opinion and evaluating its implications.” Ramirez reiterated that the FTC “will continue to work together with our European colleagues to develop effective solutions that protect consumer privacy with respect to cross-border data transfers.”
Similarly, in a press conference on Tuesday, European Commission Vice President Frans Timmermans stated that the Commission has “been working with the U.S. authorities to make data transfers safer for European citizens” and would “come forward with clear guidance for national data protection authorities on how to deal with data transfer requests to the United States in the light of the ruling.”