The Court of Justice of the European Union ("CJEU") is due to give its ruling in the case of Schrems v Data Protection Commissioner on Tuesday 6 October.
Given that the recently published opinion of Advocate Generale Bot in relation to this case raises a question mark over the future of the so-called “Safe Harbor” scheme, data protection practitioners, and the some 4,000 plus companies which reportedly use the Safe Harbor scheme, will be watching eagerly (and with some trepidation) to see if the CJEU ruling follows AG Bot’s recommendations.
What is Safe Harbor?
The Safe Harbor scheme is a framework agreed between the United States and the EU Commission whereby personal data may be transferred to the United States without contravening the general prohibition under EU data protection law (contained, in the Irish context, in Section 11 of the Irish Data Protection Acts 1988 and 2003 ("DPA")) on the transfer of personal data outside of the European Economic Area ("EEA"), to countries which are deemed not to provide an adequate standard of protection for personal data.
US companies which agree to adhere to the Safe Harbor principles are deemed to provide an adequate level of protection for personal data for these purposes. As such, Irish companies using service providers based in the US, or Irish-based subsidiaries of US companies, may transfer personal data to their Safe Harbor certified service providers or parent companies in compliance with Section 11 of the DPA.
Background to the Schrems Case
Schrems v Data Protection Commissioner relates to a request for a preliminary ruling from the Irish High Court on a case taken by Austrian privacy campaigner, Max Schrems, against the Irish Data Protection Commissioner ("DPC").
Mr Schrems had complained to the DPC about Facebook Ireland Limited transferring subscriber personal data to the United States, in circumstances where, he claimed, the laws and practices of the United States offer no real protection against State surveillance (as evidenced by the Edward Snowden revelations).
The DPC refused to investigate Mr Schrems’ complaint on a number of grounds, including on the basis that it was prevented from investigating allegations challenging a binding decision of the EU Commission (Decision 2000/520/EC) as to the adequacy of the protection for personal data under the Safe Harbor scheme.
AG Bot’s Opinion
AG Bot, in considering whether the DPC was bound by the Commission’s decision, or could conduct its own investigation as to the adequacy or otherwise of the protection under Safe Harbor, commented that “the revelations about the practices of the United States intelligence services as regards the generalised surveillance of data transferred under the safe harbour scheme have shed light on certain insufficiencies specific to Decision 2000/520”. He further noted that the access/surveillance complained of is in fact permitted by the broad wording of the derogations to the privacy requirements set out in Decision 2000/520. He concluded, on this basis, that the Safe Harbor scheme, as defined in Decision 2000/520, cannot be regarded as ensuring an adequate level of protection for personal data transferred from the EU to the US under that scheme, and that therefore that Decision should be declared invalid.
AG Bot further concluded that it should be possible for national supervisory authorities (eg the DPC in Ireland) to investigate a complaint that the United States does not ensure an adequate level of protection for personal data transferred under the Safe Harbor scheme and, where appropriate, suspend the transfer of such data.
Alternatives to Safe Harbor
Pending the judgment of the CJEU, organisations based in the EU who currently rely on Safe Harbor in order to transfer personal data to the US, or who are considering relying on Safe Harbor in respect of planned outsourcing or intragroup activities, may wish to “future proof” their data transfer arrangements by availing of one of the other exemptions to the prohibition on the transfer of personal data outside of the EEA. Organisations may consider, for example, entering into data transfer agreements, based on the EU Commission approved “Model Clauses” with companies based outside of the EEA to which they need to transfer personal data. Multi-national organisations may, alternatively, consider putting in place “binding corporate rules” across their international organisation. Binding corporate rules are internal rules or guidelines, which must be approved by a national supervisory authority, and which govern and facilitate the transfer of personal data from group companies based in the EEA to group companies located in countries which are not deemed to provide an adequate level of protection for personal data.
It is hoped that the CJEU’s much anticipated ruling will clarify the extent to which organisations can rely on the Safe Harbor regime.