On Tuesday 6 October, 2015 the Court of Justice of the European Union ("ECJ") ruled, in the case of Schrems v Data Protection Commissioner, that the 'Safe Harbour' arrangements between the United States and the European Commission are invalid. These arrangements, agreed between the United States and the European Commission, allowed companies based in the U.S. to store personal data about European citizens on U.S. based computer servers without breaching E.U. data protection law (in Ireland; the Data Protection Acts 1988 and 2003). Companies agree to adhere to the Safe Harbour principles, enforced by the U.S. Federal Trade Commission, and as a result are deemed to provide sufficient protection for the personal data. This has allowed Irish subsidiaries of U.S. companies, or even Irish companies which use service providers based in the U.S., transfer personal data to the U.S. without breaching data protection laws.
Facts of the case
This case is the culmination of an action brought against Facebook in the Irish High Court by an Austrian student, Max Schrems. Mr Schrems argued that personal data processed by Facebook is unprotected because it is transferred to the United States, where it is not treated in accordance with EU data protection laws.
Mr Schrems made a complaint to the Irish Data Protection Commissioner (the "DPC") in relation to the processing and transfer of data by Facebook to the U.S. The DPC declined to investigate the matter arguing that the issue was covered under the 'Safe Harbour' convention. Mr Schrems challenged the decision of the DPC in the Irish High Court and the High Court in turn referred the matter to the ECJ on a point of European Law.
Decision of the ECJ
The ECJ ruled as invalid the 'Safe Harbour' arrangements which allowed for the transfer of personal data to the U.S. The ECJ found that the European Commission had neither the legal means to police the Safe Harbour agreement nor the power to prevent U.S. intelligence from collating EU citizens' data. Rather than wait for a successor agreement, the ECJ dismissed the existing arrangement as a breach of EU data rules and the fundamental rights of EU citizens. The ECJ also found that the DPC was not precluded from investigating the original compliant.
Implications of the ECJ Ruling
The ruling does not pull the plug on data transfers between the EU and the U.S. but, until a new transatlantic agreement is put in place, it creates legal uncertainty for all companies currently relying on Safe Harbour as a legitimate means of transferring personal data to the U.S.
There are of course other means whereby personal data can be exported outside the EU. For instance, the European Commission has approved "Model Clauses" which can be included in data transfer agreements with companies based outside of the EEA for the transfer of personal data. Another option would be for Irish companies to obtain consent from the relevant data subject. Given the far-reaching economic consequences of this ruling, the European Commission has insisted that it will soon conclude a new data agreement with the U.S. to ensure that data channels remain open for business.
The ruling of the ECJ presents a clear opportunity for the European Commission to set robust global standards for the protection of personal data. The next steps taken by the European Commission in this area will be analysed carefully and followed with interest by all parties concerned by the ECJ's ruling. For multi-national companies based in Ireland, it is imperative that the EU and the US government put in place reliable methods for lawful data transfers and resolve any issues relating to national security.
The ruling now returns the case to the High Court, where Mr Schrems took a judicial review against the DPC's original decision. It is likely that the High Court will instruct the DPC to investigate fully Mr Schrem's complaint in relation to Facebook's processing of personal data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.