As reported previously (see here), the Court of Justice of the European Union (CJEU) recently declared that the EU Commission’s decision on Safe Harbor is invalid because the Safe Harbor framework does not sufficiently protect the fundamental rights of EU citizens.
Irish High Court Rules on Schrems
The matter returned before Mr Justice Hogan in the Irish High Court last week to decide how the case should proceed following what the judge described as “possibly one of the most important decisions” of the CJEU in recent years.
Arising from the CJEU decision, the Data Protection Commissioner (DPC) consented to an order quashing the 2013 refusal of her office to investigate the complaint and remitting the matter for consideration by her. The Court noted that “it is clear that the DPC had no jurisdiction to go behind the ‘Safe Harbor’ agreement” at that time.
Counsel for Mr Schrems expressed concern that the complaint would be “long-fingered” by the DPC in the hope of a new Safe Harbor arrangement being agreed. However, Counsel for the DPC assured the Court that the complaint would be investigated in line with the High Court and CJEU decisions.
In a statement following the order of Mr Justice Hogan, the DPC welcomed the decision and noted that her office will now “proceed to investigate the substance of the case with all due diligence”.
Safe Harbor 2.0?
In the meantime, the wait for Safe Harbor 2.0 may not be a long one. The EU Commissioner for Justice announced this week that the EU had agreed “in principle” on a new data transfer agreement with the US while discussions are ongoing to ensure that “the new arrangement lives up to the standard of the Schrems ruling”.
The two sides have been negotiating a new agreement since Edward Snowden leaked details of a US mass electronic surveillance program in 2013 and a number of meetings have taken place since the judgment with the aim of transforming the system from a purely self-regulating one. The Commissioner noted that the European Commission is not assessing the US system generally but ensuring that it offers safeguards which are “globally equivalent” to those offered in Europe. The Commissioner also noted that ensuring sufficient safeguards and limitations to prevent access to personal data on a generalised basis “is the biggest challenge in the judgment” but welcomed the reforms made by the US in this regard.
EDPS Offers Advice to Businesses
Meanwhile, European Data Protection Commissioner Supervisor (EDPS), Giovanni Buttarelli, noted in a Q&A session, when asked about the recent statement of the Article 29 Working Party (see here), that Standard Contracts and Binding Corporate Rules (BCRs) remain solutions for the transfer of personal data to the US for the time being but warned that they cannot be conceived of as “entirely solid”.
When asked what companies who currently transfer data to the US should do in the short term, Mr Buttarelli reaffirmed the position that such companies must immediately cease relying on Safe Harbor to legitimise transfers. He suggested that companies should “identify interim solutions by focusing on other requirements” but should not expend resources on options which are “too creative”. Mr Buttarelli also suggested that companies currently “in limbo” as a result of the judgment should await guidance from national data protection authorities which he believed would emanate shortly.
Interestingly, in light of Mr Buttarelli’s comments, the Commissioner, observing that businesses need “clear explanations and a uniform interpretation of the ruling” noted that the European Commission will shortly issue an explanatory communication on the consequences of the ruling in respect of data transfers.
In the meantime, Irish businesses affected by the Safe Harbor ruling should continue to identify and implement interim solutions in respect of data transfers between the EU and US.