Dramatic CJEU ruling declares the Decision which underpins Safe Harbor invalid.
What’s the issue?
Last week we reported on Advocate General (AG) Bot’s non-binding Opinion in the case of Schrems v Data Protection Commissioner, a reference from the Irish High Court. The AG recommended that Court of Justice of the European Union (CJEU) find:
- EU national regulators have the power to “look behind” Safe Harbor and suspend the transfer of data under Safe Harbor if they think the data is not being protected adequately as required by the EU Directive; and
- The EU Commission’s decision 2000/520 (Decision) establishing Safe Harbor under EU law is invalid because of the lack of protection for EU personal data in the US.
The Opinion caused huge consternation and uncertainty for organisations signed up to Safe Harbor as it put the legal foundation for the transfer of such personal data from the EU to theUSA under serious question. As Safe Harbor is currently under renegotiation and a new General Data Protection Regulation is pending, the AG’s Opinion was unexpected by many.
What’s the development?
In a highly unusual move, the CJEU has handed down judgment within a fortnight (rather than the usual four to six months). It follows the AG Opinion in finding that a regulator cannot be prevented from examining a complaint by virtue of a Commission decision and, crucially, that the Decision is invalid. In other words, the Safe Harbor Principles are no longer presumed to afford an adequate level of protection of personal data.
This means the Safe Harbor principles will no longer bind Member State data protection authorities to allowing transfers of personal data to the US. Any transfer of personal data to the USA based on Safe Harbor will, therefore, potentially be subject to investigation by the regulators and to possible enforcement action.
What does this mean for you?
We expect several Member State regulators to suspend data transfers based on Safe Harbor. If you export personal data to a US entity signed up to Safe Harbor or if your organisation is signed up to Safe Harbor, you will need to find another compliance route. The good news is such routes exist, the bad news is that, for most companies, they take time and money to put in place.
Binding Corporate Rules (which are relevant only to intra-group transfers) can take a year or more to get regulator approval. Model contract clauses should be relatively straightforward to get signed (although compliance may be brought sharply into focus). However, some Member States require model clauses to be filed and even approved by regulators and that takes time. Getting the consent of data subjects to the export of their data is another possibility but many jurisdictions regard true consent as very difficult to achieve, especially retrospectively. In other words, there is no quick and easy fix to the loss of Safe Harbor.
What happens now?
The case in question has been referred back to the Irish Data Protection Commissioner for investigation, at the end of which the Irish regulator may decide whether or not to suspend data flows between Facebook Ireland and Facebook USA. This means that the CJEU has stopped short of suspending data flows itself but has passed the matter back to regulators. The ‘rubber stamping’ of data transfers under Safe Harbor has gone but data flows can only be suspended by regulators. The implication though, is that in the face of an investigation, if Safe Harbor is the only data export mechanism, the regulator is likely to find that protection is not adequate and to suspend the data transfer.
The prospect of mass enforcement action by all Member State regulators against every US company signed up to Safe Harbor, but without another compliance mechanism in place, looks far-fetched, and we would expect the more pragmatic regulators (UK, Ireland and others) to allow companies time to re-organise their compliance programmes. In countries like Germany where Safe Harbor has long been regarded with suspicion the regulators may not be so generous – they may feel concerns about Safe Harbor have been well flagged and so businesses should be prepared for alternative arrangements by now.
The key message to businesses is to ‘get on it’ immediately; organisations which are slow to react and are seen to be doing nothing risk attracting regulator attention. Some US companies have already moved away from Safe Harbor as a compliance mechanism as it has been under scrutiny for some time and particularly since the Snowden revelations. Now others will have to follow.