On 6 October 2015, the Court of Justice of the European Union (CJEU) delivered its judgment in the case of Maximillian Schrems v. Data Protection Commissioner (Case C-362/14).
The judgment was not altogether unexpected given the earlier Opinion of the Advocate General on 23 September 2015, but has still sent shockwaves through many industry bodies and organisations who already carry out international data transfers to the USA themselves or by using third-party service providers to do so on their behalf.
Safe Harbour no longer “safe” for international data transfers
In its judgment, the CJEU found that the US Safe Harbour scheme was invalid.
The CJEU made it clear that it alone has the power to examine the validity of a European Commission finding of adequacy in relation to “safe” or “permitted” international data transfers. In this case, it has decided that Decision 2000/520/EC on the adequacy of the protection afforded by the US Safe Harbour scheme (“EC Safe Harbour Decision”) is invalid.
This means that the Safe Harbour scheme, which is used by more than 5,000 US companies, can no longer be relied on as a lawful compliance mechanism permitting personal data about European data subjects to be transferred to the USA.
For those who are unfamiliar with the background to this case:
The US Safe Harbour scheme was challenged by a Facebook user, Max Schrems, following the revelations by Edward Snowden about interception of communications by US intelligence agencies including the National Security Agency (NSA).
It was alleged that the NSA had accessed data about Europeans and other foreign citizens stored by the US tech giants via a surveillance scheme called Prism.
Schrems argued that US law and practice didn’t therefore offer sufficient protection against surveillance by public authorities of personal data transferred to the USA. He asked the Irish Data Protection Commissioner (“Irish DPC”) to investigate what information Facebook might be disclosing.
The Irish DPC rejected Schrems’ complaint and request on the basis of the EC Safe Harbour Decision.
Schrems contested the decision and the matter was referred to the CJEU.
The CJEU judgment seems to have been made on the basis that:
The Safe Harbour scheme only applies to US undertakings that are registered with Safe Harbour, not to US public authorities.
US national security, public interest and law enforcement requirements take precedence over the Safe Harbour scheme; when a conflict arises, US undertakings must disapply the Safe Harbour rules. US public law enforcement authorities that obtain personal data from organisations in the Safe Harbour scheme are not obliged to follow the Safe Harbour rules after disclosure.
US law also allows storage on a general basis of all personal data relating to individuals whose data is transferred from the EU to the USA, irrespective of the reasons why and without any consideration as to when this data can be accessed and used by US public authorities.
The Safe Harbour rules don’t provide adequate rights for individuals to access their data, or to require it to be rectified or erased where appropriate.
On learning of the judgment, Max Schrems said, “I very much welcome the judgment of the court, which will hopefully be a milestone when it comes to online privacy. It clarifies that mass surveillance violates our fundamental rights.”
National DPAs to make own findings of adequacy
In its judgment, the CJEU also found that national data protection authorities (DPAs) must make their own findings of adequacy.
National DPAs have the power to examine whether international data transfers comply with the EU Data Protection Directive (95/46/EC) (“EU Directive”) and to suspend them if they are not compliant. This power exists even where the European Commission has made a previous finding of adequacy provided by a non-EU country (i.e. in relation to the Safe Harbour scheme) because DPAs have independent powers granted under the EU Directive.
National DPAs may therefore decide to prohibit or suspend international data transfers made under the Safe Harbour scheme if their investigation into the transfer finds that the transfer does not provide adequate protection.
What next for Facebook?
As a result of Max Schrems’ Facebook case, the Irish DPA must now conduct a thorough investigation, exercising all due diligence. The purpose is to decide whether the transfer of data to the USA in relation to European users of Facebook should be prohibited on the basis that the Safe Harbour scheme no longer creates a permitted compliance mechanism.
And what about the rest of us?
On the face of it, this case may seem to be about taking on the mighty Facebook. However, in reality, it’s about all transfers of personal data to the USA by all organisations. These may include:
Data transfers to head offices in the USA or transfers sent to the USA for particular service provision, either directly by organisations or via their sub-contractors.
Transfers for data back-ups, CRM, accounting, payroll and personnel record hosting or services, data analytics, IT services, surveys carried out, etc.
The case therefore has wide-reaching implications for all organisations who transfer information from Europe to the USA. As a result, many industry bodies and organisations are reeling from the news of this case, each scrabbling to consider the full implications of the CJEU decision for their business.
In essence, the many thousands of organisations carrying out international data transfers to the USA (or using third-party service providers (data processors) to do so on their behalf):
Should no longer transfer personal data to US organisations solely on the basis that they are registered with Safe Harbour.
Are likely to face a huge additional compliance burden, potentially having to liaise with numerous European data protection authorities rather than relying on the Safe Harbour scheme.
Will have to conduct more costly privacy impact assessments, and put more legal paperwork in place, to justify their US data transfers.
The EU Article 29 Working Party, the UK Information Commissioner’s Office and the Spanish DPA have already published statements on the judgment. In basic terms, these statements say that these bodies will consult with other EU DPAs to issue guidance for organisations on what to do next. The European Commission has also said that it will issue “clear guidance” in the coming weeks to prevent member states’ data authorities issuing conflicting rulings.
Organisations will be keen to see this regulatory guidance published sooner rather than later because, following the decision, they may no longer have a compliant mechanism that permits data transfers to the USA. Although there are other potential legal pathways that allow compliant data transfers to take place, many will require further work, analysis, justification and paperwork before they can be relied on. This will take organisations time to properly consider ... and yet the CJEU decision provides no time. There is no transition period to enable a new mechanism to be found, with the result that many organisations have become technically in breach of the legislation overnight.
Many of us practitioners hope that the EU and the USA will agree a new compliant transfer agreement or system. However, unfortunately, this may be slow in coming. We understand that there have been ongoing negotiations for several years, trying but failing to agree on a better solution.
Watch this space!
If you require any further information or advice on how to stay compliant when transferring data to the USA, implementing the European standard contractual clauses to ensure compliance, or any other data protection or privacy matter, please don’t hesitate to contact Pritchetts.