In its judgment of 6 October 2015, the Court of Justice of the European Union invalidated the so-called Safe Harbour Decision of the European Commission. According to this decision, US entities which were (self-)certified as being "Safe Harbour" were considered to ensure an adequate level of data protection.
Furthermore, the Court held that an "adequacy" decision whereby the European Commission considers a "third" country outside the EEA to provide an adequate level of data protection, does not prevent national data protection authorities from examining the complaint of a data subject regarding the transfer of personal data to a third country, where the data subject believes that the country in question does not provide an adequate level of protection.
It goes without saying that this judgment will have a seismic impact on how EU undertakings have to handle personal data flows to the US. Time to weigh anchor, to sail away from the safe harbour and to look for alternative routes …
Man your stations…
The dispute finds its source in Directive 95/46/EC (the "Data Protection Directive") which states that personal data may only be transferred to countries outside the EU, where the country provides an adequate level of protection for personal data. The European Commission is empowered to find that a given country ensures an adequate level of protection by granting an adequacy decision for that country. In that context, the European Commission adopted Decision 2000/520/EC of 26 July 2000 (the "Safe Harbour Decision") whereby data transfers to companies located in the US were made possible, provided the companies comply with a number of conditions, notably the self-certification of compliance with the requirements of the Safe Harbour Decision.
As with EU and domestic data protection laws, the Safe Harbour Decision foresees exceptions. In the case of the Safe Harbour Decision, the principles set out therein may be derogated from ‘to the extent necessary to meet national security, public interest, or law enforcement requirements’ and ‘by statute, government regulation, or case law that create conflicting obligations or explicit authorisations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation’.
… weigh anchor …
Many companies rely upon Safe Harbour to ensure that their US data transfers comply with the Data Protection Directive and its implementing laws, yet this particular case concerns one specific company - Facebook. Maximillian Schrems, an Austrian national, had signed up to Facebook by concluding a contract with Facebook Ireland, Ltd. Facebook Ireland is the EU subsidiary of Facebook, Inc. and the headquarters for all Facebook EU activity. In processing the personal data of their subscribers, including that of Mr Schrems, some or all data are transferred to Facebook servers in the US. In the aftermath of the revelations made by Edward Snowden about the surveillance practices of the US, Mr Schrems filed a complaint with the Irish Data Protection Commissioner, claiming that the US did not offer adequate protection of personal data against state surveillance.
The Irish Data Protection Commissioner refused to investigate the complaint. According to Irish law, the Data Protection Commissioner must consider a question on the adequacy of the protection offered by a country outside the EEA for which the Commission has made an adequacy finding in accordance with that finding. With the Safe Harbour Decision having determined that transfers to participating companies were adequately protected, the Data Protection Commission rejected the complaint.
The High Court, in analysing the case, stated that Irish law required that any interference with the right to privacy and inviolability of the dwelling must be in accordance with the law and proportionate. The mass surveillance would not be considered proportional under Irish law and the Data Protection Commissioner would have had to examine the complaint, had the case been approached exclusively on Irish law. However, the High Court recognised that, the case concerns the implementation of EU law and that the question should be assessed in light of the EU law and the EU Charter of Fundamental Rights (the "Charter"). The High Court found that in light of the Data Protection Directive and the Safe Harbour Decision, the Data Protection Commissioner had acted entirely in accordance with EU law. However, the High Court asked whether, in light of the recent revelations and the EU Charter, a national data protection authority is absolutely bound by the Safe Harbour Decision.
… hoist sails …
Advocate-General Bot delivered his opinion on 25 September 2015 and the CJEU, in a rather exceptional move, followed suit less than two weeks later.
In his opinion, the Advocate-General advised that the Data Protection Directive and European Commission Decisions do not prevent national data protection authorities (the "DPAs") from examining the complaint of a data subject regarding the transfer of personal data to a third country where the data subject believes that the country in question does not provide an adequate level of protection.
In addition to the question of the High Court, the Advocate-General advised the CJEU to declare the Safe Harbour Decision invalid.
a) Powers of national DPAs vs. adequacy decisions of the European Commission
With regard to the first question, the CJEU firstly highlighted the importance of fundamental rights (citing its own recent case-law) as well as the importance of independent and effective national data protection supervisory authorities and stated that these should strike a fair balance between observance of the fundamental rights on the one hand and business interests, on the other.
Setting out that national DPAs are empowered to review the processing of personal data taking place in their Member State and that, given the fact that a transfer from a Member State to a third country constitutes processing, the CJEU stated that DPAs should be vested with the power to assess whether data transfers to a third country comply with the Data Protection Directive. Furthermore, the CJEU recalled that the EU is based on the rule of law in which all acts are subject to review of their compatibility with the Treaties, general principles of law and fundamental rights.
However, the Safe Harbour Decision, having been addressed to each Member State, is binding both for the Member States and all their organs, and neither the Member States nor their organs can adopt measures contrary to the Safe Harbour Decision.
This cannot prevent data subjects from lodging a complaint nor DPAs from making an assessment of the processing. This is in particular so as neither the Charter nor the Data Protection Directive limit DPAs' powers to review data transfers to third countries.
The CJEU went on to state that only the CJEU, and not national courts, has the power to declare that an EU act, such as the Safe Harbour Decision, is invalid, and detailed the procedure for DPAs to follow when faced with a complaint concerning the transfer to third countries. DPAs must examine the complaint and determine whether the complaint should be rejected or whether it is founded.
- Where the complaint is rejected, the data subject will have the right of recourse before national courts, who must stay the proceedings and refer the case to the CJEU.
- Where the DPA considers the complaint to be founded, the DPA should be vested with powers to engage in legal proceedings before national courts who may then, if they consider the objections founded, refer the case to the CJEU.
b) Invalidation of the Safe Harbour Decision
As concerns the Safe Harbour Decision, the CJEU found that in light of the foregoing elaborations on the separation of powers and the revelations about US surveillance practices including the serious doubts of both Mr Schrems and the High Court, the conformity of the Safe Harbour Decision with the Data Protection Directive, read in the light of the Charter, should be assessed.
The CJEU observed that, in having adopted the Safe Harbour Decision, the Commission should have analysed whether the legal order of the country in question ensured a level of protection which was "essentially equivalent" to that provided by the Data Protection Directive, read in the light of the Charter. However, the European Commission did not make such a statement in the Safe Harbour Decision.
Moving on in its assessment, the CJEU found the Safe Harbour Decision applicable only to self-certifying companies, but not to US public authorities, who had access to the data. Furthermore, in light of the broad exceptions provided for in the Safe Harbour Decision (as set out above) and the explicit primacy of US law in the event of a conflict between the Safe Harbour Decision and US law foreseen therein, the CJEU found that companies are obliged to disregard the protection offered by the Safe Harbour Decision.
With specific reference to communications of the European Commission highlighting the same issues in 2013, the CJEU added that the interference with the fundamental rights of data subjects established by the Safe Harbour Decision is not limited by a provision of the Safe Harbour Decision, nor any kind of effective legal protection.
Citing case C-293/12 and C-594/12 Digital Rights Ireland, the CJEU then observed that under EU law, derogations and limitations of fundamental rights must by applied only in so far as is strictly necessary. The broad-scope, all-encompassing US surveillance legislation could not be considered as being strictly necessary.
Furthermore, the CJEU found that the Commission in adopting the Safe Harbour Decision, which limits the powers of review of national DPAs in the context of data transfers to third countries, had overstepped the powers granted to it for adopting decisions.
The CJEU therefore declared the Safe Harbour Decision invalid.
… and choose an alternative route
In light of the decision by the CJEU, companies relying on Safe Harbour for their transfers to the US should make amendments in order to ensure that they remain compliant with EU data protection rules.
While the Data Protection Directive sets out a number of exceptions, such as the data subject's consent, that may be relied upon to legitimise transfers to third countries. It should be noted that the Article 29 Working Party, the organisation bringing together representatives of all EU DPAs, has recommended that transfers "which might be qualified as repeated, mass or structural should … be carried out within a specific legal framework (i.e. contracts or binding corporate rules)".
If data transfers to the US are imperative and concern large amounts of data, other means of reaching an adequate level of protection and legitimizing transfers should thus be relied upon, such as standard contractual clauses and BCRs. Please beware that in some countries, like Luxembourg, such transfers must be authorised by the national DPA beforehand even where a data transfer takes place on the basis of such a contractual framework.
The contractual alternative seems prima facie a good way to escape from the un-safe harbour but such contractual mechanism cannot take away the concern of the far-stretching and all-encompassing US surveillance legislation. The latter makes it virtually impossible to assure an adequate level of protection for transfers of data to the US …
The only alternative in the meantime thus seems to keep the data within the EU and, e.g. in the context of cloud-based services, to rely on EU based cloud providers with servers in the EU and which do not have affiliates in the US, as an adequate level of data protection is guaranteed throughout the EU thanks to the Data Protection Directive. Luxembourg, in particular, has a favourable environment for cloud service providers and cloud users alike, in bringing together the necessary infrastructure with a legal regime that enhances protection for cloud users in that it permits cloud users, subject to certain conditions, to claim back data held by a cloud provider in the event of the bankruptcy of the latter.