On 6 October 2015, the CJEU (case no. C-362/14) has declared the Commission's 2000 decision on Safe Harbor concerning the transfer of personal data from the EU to the USA to be invalid, with immediate effect. The CJEU has also held that the existence of any Commission decision that a third country ensures an adequate level of protection (which applies, for example, to Argentina, Canada, Israel, New Zealand, Switzerland and Uruguay) cannot reduce the powers of national data protection authorities, opening up the possibility of future challenges to those adequacy findings as well.
This CJEU judgment has wide ramifications for German companies that transfer their customer or employee data to the U.S. relying on the Safe Harbor principles. Such transfer is now prohibited. German companies must quickly find and implement alternative ways to legitimise the transfer such as standard contractual clauses adopted by the Commission (Model Clauses) or Binding Corporate Rules (BCR, for intra-group transfers).
Under the German Data Protection Act ("Bundesdatenschutzgesetz – BDSG"), transfers of personal data outside the EEA may, in principle, take place only if the receiving country ensures an adequate level of protection of the data similar to the level within the EU. In this regard, the Commission may find that a particular country ensures adequate protection. The Commission made a finding of adequacy with respect to transfers to U.S. companies who have signed up to the Safe Harbor scheme. This scheme was now challenged by Austrian Max Schrems who lodged a complaint about the transfer of his personal data from Facebook in Ireland to Facebook's U.S. servers. However, the challenge of Safe Harbor before the CJEU was only a matter of time and does not come as a complete surprise. The German Conference of Data Supervisory Authorities, for example, adopted a decision in March 2015 where it declared that the Safe Harbor scheme does not provide for an adequate level of protection of the data regarding a data transfer to the U.S.
The CJEU has declared that the Commission decision that Safe Harbor provides adequate protection is not compliant with EU law and therefore is invalid. On the one hand the personal data of EU citizens is not sufficiently protected against access of U.S. authorities, on the other hand U.S. legislation does not provide for any possibilities for EU citizens to pursue legal remedies in order to have access to the personal data concerned, or to obtain the rectification or erasure of such data. Additionally, according to the CJEU the implementing power granted by EU legislature to the Commission does not confer upon it competence to restrict the national supervisory authorities' powers to assess whether an adequate level of protection is guaranteed in each respective case. The CJEU confirmed that the Data Protection Directive does not prevent oversight by national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission adequacy decision. Furthermore, national legislature has to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national courts. As regards the latter, the BDSG currently does not provide for such legal measures and, therefore, the German government is obliged to implement such legal remedies for supervisory authorities in due time.
German entities that transfer personal data from Germany to the U.S. on the basis of Safe Harbor will quickly have to find an alternative way to legitimise the transfer. The impact of this judgement will, of course, largely depend on whether organisations are relying solely on Safe Harbor for transfers, or are backing it up with other measures. Many large German based multi-national organisations already require Safe Harbor certified service providers to enter into Model Clauses and the immediate impact for those companies is likely to be limited. For those organisations that have not yet done so, it would be advisable to carry out an audit promptly to identify cases where an alternative solution needs to be put in place.
However, it is to date unclear what impact the decision of the CJEU will have on other instruments for data transfer outside the EU such as Model Clauses or BCRs. According to Commissioner Jourova these instruments are still valid as regards the transfer of data to the U.S. Contrary to this, the Supervisory Authority of North Rhine-Westphalia, for example, remarks that for other instruments (i.e. Model Clauses and BCR) assessments based on the rulings of the CJEU have to be undertaken in order to determine whether these alternatives also constitute as valid justifications for the data transfer from Germany to the U.S. For that reason German companies should observe how the national supervisory authorities will react following the CJEU decision and, as the circumstances require, liaise with the competent authority prior to undertaking any measures.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.