Europe’s top court, the Court of Justice of the European Union (ECJ), has struck down a 15-year-old European Commission decision that permitted the transfer of personal data from the EU to the U.S. under what is known as the EU-U.S. Safe Harbor. Thousands of EU and U.S. companies that rely on Safe Harbor will need to rethink how they legalize the transfer of personal data across the Atlantic.
For years, companies have used Safe Harbor to comply with European rules, which stipulate that personal data must not be sent outside the EU unless it receives ‘adequate protection.’ The Safe Harbor permitted U.S. companies that self-certified compliance with a set of principles to receive personal data from the EU. In recent years, however, privacy regulators, advocates and politicians have criticised Safe Harbor as not affording the level of protection required by the those rules.
Austrian privacy advocate Max Schrems agreed. In 2013, after the Edward Snowden revelations about the U.S. security services’ access to data hosted by U.S. tech companies, Schrems lodged a complaint about Facebook with the Irish Data Protection Commissioner. Relying on the European Commission decision and the fact that Facebook was signed up to the Safe Harbor, the Irish Commissioner dismissed the complaint. At this point, Schrems took the Irish Commissioner to court in Ireland and the Irish High Court referred the matter to the ECJ.
On Oct. 6, 2015, the ECJ handed down its widely-anticipated decision in the case. The decision follows the opinion of the court’s adviser, advocate General Bot, which was issued less than two weeks ago. The ECJ had two main findings:
1. The existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to national supervisory authorities.
Data protection regulators, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complied with the requirements laid down by the European Data Protection Directive, even if the Commission has adopted an adequacy decision. If a regulator believes the decision is invalid, it must bring the matter before its national courts so that they may refer the case to the ECJ, which alone has the jurisdiction to declare that a Commission decision is invalid.
Effectively, this confirms that each of the 28 nation bloc’s data protection regulators has the power to review data transfers that rely on one of the Commission’s decisions of adequacy. Safe Harbor was one of 12 such decisions declaring that a third country provided adequate protection for personal data. The others relate to Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
2. The Commission decision on Safe Harbor is invalid.
The ECJ then said that the Commission’s decision did not properly assess the protection for personal data afforded by the United States. The Court found that organizations were bound to disregard Safe Harbor’s requirements where they conflicted with the national security, public interest and law enforcement requirements of the United States and, because of this, the Safe Harbor enables interference by United States public authorities. This interference means the level of protection afforded to the data transferred was not equivalent to that guaranteed within the EU and, because of this, the decision is invalid.
Therefore, of considerably more immediate impact on anyone sending personal data from the EU to the U.S., or receiving personal data in the U.S. from the EU, is that they can no longer rely on the Safe Harbor. This includes the more than 4,000 U.S. organizations currently certified to the framework. Organizations will need to review their data transfer procedures and ensure they can rely on one of the other methods of complying with EU data protection rules.
We are aware of at least one U.S.-based service provider already taking the proactive step of contacting its customers to advise them of the ECJ’s decision and offering an alternative method of complying with the EU’s data transfer rules by asking them to sign the EU’s prescribed ‘model clauses.’ ‘Model clauses,’ which are entered into between the EU exporter of personal data and the non-EU importer, require the importer to afford certain privacy protections to data transferred to it.
During a press conference to discuss the ruling, Commission officials remarked that they saw the decision as confirmation of the Commission’s current approach to renegotiate the Safe Harbor. The Commission would continue to work with the US authorities to make data transfers safer for European citizens and build on the important progress it has made to date.
Noting that the continuation of transatlantic data flows are important for the European economy, the officials declared that the Commission would come forward with clear guidance for national regulators on how to deal with data transfer requests to the US, in the hope of avoiding a patchwork of conflicting decisions.
The Schrems case has now been referred back to the Irish court. The Irish data protection authority must examine Schrems’ complaint and decide whether the transfer of personal data to the United States should be suspended.
The ECJ’s landmark ruling comes amidst the context of wider reform to Europe’s data protection regime. Europe’s authorities are currently overhauling the Data Protection Directive to strengthen the protections it gives individuals and to increase the obligations on organizations that process personal data. In its press conference, the Commission confirmed that the reform was on track to be finalized this year.
It will also be interesting to see what impact this decision has on the current Safe Harbor renegotiations. Certainly, some do not agree with the Commission’s insistence that those negotiations can build on this ruling and believe that the renewal of the framework is now in doubt.
The full name of the case referred to in this piece is case C-362/14 Maximillian Schrems v Data Protection Commissioner.
Christian Schröder is a partner in Orrick’s Technology Companies Group in Düsseldorf and head of the firm’s IP/IT & Data Privacy Practice Group in Germany. Kolvin Stone is a partner in Orrick’s Technology Companies Group in London and a member of the firm’s Cybersecurity & Data Privacy Group. Paul Hansford is a managing associate in Orrick’s Technology Companies Group in London. Tony Kim is a partner in Orrick’s Antitrust & Competition Group in Washington, D.C. and co-chair of the firm’s Cybersecurity & Data Privacy Group. Aravind Swaminathan is a partner in Orrick’s White Collar & Corporate Investigations Group in Seattle and co-chair of the firm’s Cybersecurity & Data Privacy Group.
Reprinted with permission from the October 9, 2015 issue of Legaltech News. © 2015 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.