The Schrems v Data Protection Commissioner case undermines the Safe Harbour scheme, explain Anne-Marie Bohan and John O’Connor.
The Court of Justice of the European Union (CJEU) announcement that Safe Harbour is invalid has implications for all EU companies that transfer data to US companies that are Safe Harbour certified, and not simply for those located in Ireland, where the Schrems case originated.
The judgment is also hugely significant for the over 4,000 US companies that rely on Safe Harbour to legitimise transfers of personal data from the EU to the US.
This case was referred to the CJEU by the Irish High Court in June 2014 after the Irish Data Protection Commissioner (DPC) had refused to investigate the complaint of Austrian student Maximilian Schrems.
Schrems had argued that transfers of personal data from Facebook Ireland to Facebook Inc. in the US should be suspended in light of the Edward Snowden revelations concerning the National Security Agency’s PRISM programme and the mass surveillance of data in the US.
The DPC refused to investigate the complaint on the basis that the DPC was bound by a decision of the European Commission that the Safe Harbour scheme ensured adequate protection of personal data and legitimised transfers to companies signed up to the scheme.
The CJEU’s ruling declared that Safe Harbour was invalid and can no longer be used as a basis for legitimising the transfer of personal data to the US. The CJEU held that the interference by US authorities with the fundamental rights of individuals is not limited to what is strictly necessary, as US law authorises the mass surveillance of personal data without limitation or differentiation on the basis of the objective pursued.
This, it stated, compromised the essence of the right to protection of personal data and as such was a disproportionate interference. The lack of effective judicial protection or the possibility for an individual to pursue legal remedies also compromised fundamental rights and the rule of law.
The CJEU also held that a European Commission decision regarding the adequacy of arrangements such as Safe Harbour does not preclude a national data protection authority from examining transfers of data to ensure compliance with the EU Data Protection Directive and the Charter of Fundamental Rights of the European Union. However, only the CJEU can declare a European Commission decision invalid.
Accordingly, following any investigation, a national data protection authority must bring proceedings before the national courts, who may refer the case to the CJEU, if there are doubts as to the validity of the European Commission decision. Disaffected complainants, such as Schrems, may also bring proceedings before national courts where the national data protection authority does not find cause to question the Commission decision.
The invalidity of the Safe Harbour regime will not result in an immediate halt to all transfers of personal data from the EU to the US, as the EU Directive provides for other exemptions to the general prohibition on transfers outside the European Economic Area (EEA). For US companies that are Safe Harbour certified, and for Irish and EU companies that transfer personal data to US companies that are Safe Harbour certified, immediate consideration should be given to the implementation of an alternative solution to Safe Harbour based on these other exemptions.
It is possible to transfer personal data from Ireland (and other EU member states) to companies in the US and other non-EEA jurisdictions through the use of European Commission-approved model clauses (also known as the standard contractual clauses), and through the use of intra-group binding corporate rules. The measures that Safe Harbour certified companies have implemented in practice in complying with Safe Harbour regime will continue to be relevant under either solution, or if one of the more restrictive exemptions applies.
The model clauses are in pre-approved form and do not require the pre-approval of the DPC. While these can often be implemented with relative ease, on occasion they require significant operational changes. Binding corporate rules, which apply on an intra-group basis only, require approval from the company’s relevant EU data protection authority and take considerably longer to implement.
Both the model clauses and binding corporate rules give the data subject the right to take direct action to enforce them, an important feature.
There are a number of other exemptions to the prohibition on data transfer, including data subject consent and where the transfer is necessary for the purposes of a contract with the data subject.
However, it can be difficult to justify transfers on the basis of these exemptions where the transfer is systematic and where there is no genuine ability for a data subject to object.
Therefore, the safest options for any data controller within the EU that wishes to transfer data on a systematic basis to non-EEA jurisdictions, including the US (and irrespective of whether that transfer is to a parent company or to a service provider), is to use appropriate model clauses and/or binding corporate rules.
The European Commission, in a press release following the ruling, identified the continuation of transatlantic data flows as crucial to the European economy and one of its top priorities. It has stated that it will work closely with national data protection authorities and will issue clear guidance on transfer requests to the US.
On October 16th 2015, the Article 29 Working Party (the advisory body composed of representatives from each member state’s data protection authority, the European Data Protection Supervisor and the European Commission) (Working Party) issued a statement clarifying certain implications of the ruling.
The Working Party reiterated the CJEU’s ruling that massive and indiscriminate surveillance is incompatible with the EU legal framework, and third countries including the US that go beyond what is necessary in a democratic society will not be considered safe destinations for personal data. The Working Party also reiterated the CJEU’s statement that transfers still taking place under Safe Harbour are unlawful.
The Working Party called on member states and European institutions to open discussions with US authorities urgently in order to find a long-term solution. The EU and the US have been in discussions for some time on a new version of Safe Harbour, Safe Harbour 2.0.
In the meantime, the Working Party suggests that businesses should consider putting legal and technical solutions in place in a timely manner. It has suggested, however, that if no long-term solution is found by the end of January 2016, the national authorities may take all necessary measures, including enforcement actions.
A number of initiatives at EU and US level seek to redress the balance between security on the one hand, and individual freedoms on the other, as well as address the perceived and actual shortcomings of Safe Harbour.
In June of this year the USA Freedom Act was passed in the US to strengthen privacy rights and curtail data surveillance. The Act also enhances individual rights by permitting Foreign Intelligence Surveillance Act courts to appoint advocates to advance arguments for privacy and civil liberties.
Businesses should consider putting legal and technical solutions in place in a timely manner
The EU Commission and the US have also recently finalised negotiations on data protection standards for transatlantic law enforcement cooperation.
The resulting Umbrella Agreement guarantees strong data protection rules for personal data shared with US authorities for the purposes of law enforcement.
A condition of the Umbrella Agreement is that all EU citizens would be guaranteed a right to enforce their rights in US courts. This is intended to take effect in the Judicial Redress Bill, which extends the civil remedies available under the US Privacy Act of 1974 to EU citizens.
This Bill will go some way to addressing concerns identified in the CJEU judgment that the lack of judicial oversight and effective redress for EU citizens were fatal to the validity of the Safe Harbour scheme. As discussed above, negotiations are also underway on a revised Safe Harbour framework.
Pending the conclusion of these negotiations, however, multinationals and companies sharing personal data must seek an alternative basis to legitimise transfers of personal data to the US.
The principal options available are appropriate model clauses or, in the case of intra-group transfers, binding corporate rules. National data protection authorities have committed to analysing these methods of transfer but no enforcement action will be taken until February 2016.