On 6 October 2015, the European Court of Justice (ECJ) ruled that the Commission's decision in relation to the adequacy of the US Safe Harbor Framework (Safe Harbor) is no longer valid. Our analysis below, provides our insight as to what this case may mean for businesses transferring data to the US under the Safe Harbor regime.
What is Safe Harbor?
Safe Harbor is a self-certified, voluntary regime that sets out guidance which US organisations could use in order to permit the transfer of personal data between the EEA and the US. In July 2000, the Commission confirmed the adequacy of Safe Harbor (European Commission Decision). This gave European companies the necessary comfort to transfer personal data to US entities signed up to SafeHarbor.
Background to the case challenging validity of Safe Harbor
Austrian national Maximillian Schrems brought a claim to the Irish Data Protection Commissioner (Irish Commissioner) in relation to Facebook Ireland Limited's transfer of his personal data to Facebook Inc. (in the US). As a result of such transfer, his personal data was being subject to the NSA/PRISM surveillance program (as uncovered by Snowden in 2013) and he argued that Safe Harbor did not offer sufficient protection against such surveillance. The Irish Commissioner rejected Schrems' claim on the basis that Facebook Inc. had signed up to Safe Harbour and the Irish Commissioner was bound by the European Commission Decision as to the adequacy of Safe Harbor.
Referral to the ECJ
The decision was subsequently challenged by Schrems and the question was referred by the High Court of Ireland to the ECJ in June 2014. The Irish High Court asked whether the European Commission Decision prevented a national supervisory authority from reviewing the adequacy of Safe Harbor in protecting personal data transferred to the US and whether such authority would be able to suspend the transfer of personal data in question. Although not binding, the Advocate General Yves Bots (the AG) opined in late September 2015 that Safe Harbor did not currently provide an adequate level of protection in relation to the transfer of personal data to the US and (even if it did) the European Commission Decision should not prevent national supervisory authorities from reviewing the adequacy of Safe Harbor and suspending personal data transfers to the US if necessary.
The AG's view has now been reflected in the ECJ's judgment. In particular the ECJ found that the European Commission Decision could not diminish the power of a national supervisory authority to assess whether or not adequate protection was given in the transfer of personal data to third parties outside the EEA. Further the ECJ found that the wide, sweeping and overarching access powers of US public authorities over and above the protection of Safe Harbor (e.g. through the mass surveillance and indiscriminate reach of the NSA/PRISM surveillance program) did not reflect or coincide with the principles under the EU Data Protection Directive or Article 7 and Article 8 of the Charter of Fundamental Human Rights.
In light of the ECJ's findings that the European Commission Decision was invalid, all eyes will now be on the Irish Commissioner, who will be required to re-examine whether or not the transfer of personal data from Facebook Ireland Limited to Facebook Inc. in accordance with Safe Harbor (or other measures taken by Facebook Ireland Limited) offers European users' an adequate level of data protection. If the Irish Commissioner finds that Facebook Ireland Limited does not have a sufficient level of protection in place (through the use of Safe Harbor or otherwise) it may order the suspension of Facebook Ireland Limited's transfer of personal data to Facebook Inc.
Analysis of the case by Addleshaw Goddard's Data and Information Team
Various commentary has already been issued in the press encompassing a range of views from scare mongering to panic to passive resistance. Many organisations have already announced that the ECJ decision will not impact them significantly. Notably, AirBnB and even Facebook have confirmed their opinion that they each have robust policies and procedures in place (in addition to reliance on SafeHarbor) in order to maintain an adequate level of protection in the transfer of personal data.
On the other hand, the Information Commissioners Office in the UK released a statement that businesses relying on Safe Harbor will need to review their personal data procedures. Recognising that this may take time, the ICO will be releasing further guidance in the near future. Although it is arguably implicit in the Schrems judgement that even Model Clauses are flawed, for now the ICO press release indicates that adequate contractual safeguards may be put in place in a number of other ways including using Model Contract Clauses, Binding Corporate Rules or Binding Corporate Rules for Processors (BCRs). Where adequate safeguards are established, the rights of data subjects can continue to be protected even after their data has been transferred outside the EEA. Deputy Commissioner David Smith has stated:
“It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure that they are complying with the law related to international transfers. We will now be considering the judgment in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them. Businesses should check the ICO website for details over the coming weeks".
It is worth noting that since the Snowden revelations in 2013, the Commission and US authorities have been in negotiations to agree a more robust arrangement protecting the transfer of personal data than that currently offered by Safe Harbor. Although stated to be well advanced, many are now asking for these negotiations to be expedited in order to provide a more reliable regime on which US and EU businesses can rely.
In the meantime, we await the Irish Commissioner's decision and further ICO guidance. Time will tell whether or not a more robust Safe Harbor regime or even Model Contract Clauses or BCRs provide adequate protection of personal data in the US in light of the concerns of mass surveillance raised by the ECJ. However, no immediate action will be required by those businesses relying solely on Safe Harbourat this stage.