In a landmark judgment in Schrems v Data Protection Commissioner (C-362/14) (October 6, 2015) ("Safe Harbor judgment"), the European Court of Justice ("ECJ") found the Safe Harbor Decision of the European Commission (Commission Decision 2000/520/EC of 26 July 2000) to be invalid. The invalidity of the Safe Harbor Decision calls into question the legality of large portions of data flows from Europe to the United States and causes considerable legal uncertainty for US companies offering their services in the EU.
Legal Background
Under Art. 25 (1) of the EU Data Protection Directive 95/46/EC
("Directive 95/46"), the central legislation to govern
the processing of personal data of European users, personal data of
European citizens may be transferred to a non-EU country only if
the country in question ensures an adequate level of protection of
the data transferred. In its Safe Harbor Decision, the European
Commission had decided that the "Safe Harbor Privacy
Principles" as provided for by the United States Department of
Commerce and its guidance documents (e.g., the FAQs) and
procedures ensure an adequate level of protection for personal data
transferred from the EU to organizations established in the US
provided that these organizations: (1) have unambiguously and
publicly disclosed their commitment to comply with the Safe Harbor
Principles; and (2) are subject to the statutory powers of a
government body in the United States that is empowered to
investigate complaints and to obtain relief against unfair or
deceptive practices as well as redress for individuals.
Such decisions of the European Commission are generally binding for
the EU Member States and their authorities. Hence, based on
the Safe Harbor Decision, the transfer of personal data of EU
citizens to Safe Harbor-certified organizations in the US, which
have been treated by virtue of the Safe Harbor Decision as if they
were seated in a safe country in the meaning of Art. 25 (1)
Directive 95/46, was considered legal. Large portions of the
currently existing data transfers from the EU to the US rely for
their legitimacy on the Safe Harbor Decision.
The Safe Harbor Judgment of the ECJ
The case before the ECJ was referred by the High Court of
Ireland in a case brought by Max Schrems, an Austrian data
protection activist, against the Irish Data Protection Commissioner
("IDPC"). Mr. Schrems had asked the IDPC to exercise his
powers to prohibit Facebook from transferring his personal data to
the United States. The IDPC refused to take action, arguing that it
was bound by the Safe Harbor Decision. Mr. Schrems brought an
action before the Irish courts, challenging this decision of the
IDPC, and the High Court of Ireland referred the case to the ECJ,
asking whether the Safe Harbor Decision could indeed be binding to
the IDPC, given that "the revelations made by Edward Snowden
had demonstrated a 'significant over-reach' on the part of
the NSA and other federal agencies" on the data transferred
from the European Union to the United States.
The ECJ judgment addresses the question of the High Court in two
steps:
- In a first step, the ECJ finds that the national data protection authorities ("DPAs") are always entitled to investigate and assess, upon a complaint of a person concerned, a data transfer to a third country, regardless of whether or not the European Commission has adopted a decision on the adequacy of the level of protection in the destination country (paras. 51-57). Moreover, the ECJ alone has jurisdiction to declare that an EU action, such as a Commission decision, is invalid. This means that a DPA or the person concerned must put forward their objections against a Commission decision before a national court, which in turn may refer the case to the ECJ (paras. 61-65).
- In a second step, the ECJ assesses the Safe Harbor Decision
itself and finds it, "without there being any need to examine
the content of the safe harbor principles," to be invalid
since the Commission, when adopting it, did not find "duly
stating reasons" that the United States does in fact ensure,
by reason of its domestic law or its international commitments, an
adequate level of protection (paras. 96-98).
The ECJ decision states that an adequate level of protection within the meaning of Art. 25 (1) Directive 95/46 does not require a level of protection identical to that guaranteed in the EU legal order. In order to comply with this standard, however, a country has to ensure a level of protection of fundamental rights and freedoms that is "essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter" (para. 73). According to the ECJ, the Commission did not advance in its Safe Harbor Decision sufficient reasons to the effect that the safe harbor principles actually ensured such standard of protection. Inter alia, the ECJ criticizes that the Safe Harbor Decision:
- lays down that national security, public interest, or law
enforcement requirements have primacy over the safe harbor
principles (paras. 84-87),
- contains no finding regarding the existence in the United
States of rules intended to limit any interference with the
fundamental rights of the persons whose data is transferred to the
US (para. 88), and
- does not refer to the existence of effective legal protection against interference of that kind (para. 89).
- lays down that national security, public interest, or law
enforcement requirements have primacy over the safe harbor
principles (paras. 84-87),
The ECJ decision goes on to hold that this analysis was borne out of the Commission's own assessments advanced in communications in 2013, which found that the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way that is incompatible, in particular, with the purposes for which it was transferred and beyond what was strictly necessary and proportionate to the protection of national security. The Commission had also noted that the data subjects had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased (para. 90). According to the court, such access was incompatible with the level of protection of fundamental rights and freedoms that is guaranteed within the European Union (paras. 91-95).
Basic Takeaways
The Safe Harbor judgment of the ECJ has the potential to cause a
sea-change with respect to how data transfers between the EU and
the US will have to be structured in the future. United States
organizations cannot at this point rely any longer on a Safe Harbor
certification to transfer personal data of European citizens from
the European Union to the United States. In addition, the Safe
Harbor judgment appears to leave no room for a new industry-driven
or certificate-based solution to replace the Safe Harbor, unless
the United States guarantees an adequate level of protection,
i.e., a protection "essentially equivalent" to
the protection afforded in the EU, based on domestic law or its
international commitments. The ECJ has made clear that to this end
in particular the access of United States authorities to the data
of European Union citizens transferred to the United States will
have to be limited in line with the requirements set out in the
case law of the ECJ.
Short-term solutions will therefore, most likely, have to be based
on alternative legal grounds under Art. 26 Directive 95/46 such as,
e.g., standard contractual clauses or explicit consent of
the persons concerned.
In its first reaction to the Safe Harbor judgment, the European
Commission reiterated its determination to find a solution to
ensure the continuation of data flows across the Atlantic. It
announced it will continue to negotiate with the United States a
"Safer" Safe Harbor framework.
In order to mitigate unreasonable legal uncertainty for United
States companies facing uncoordinated initiatives by national DPAs
that may feel encouraged by the Safe Harbor judgment to suspend
data transfer to the US, the Commission also announced its
intention to work closely with the DPAs and to issue clear guidance
on how to deal with transfer requests or complaints. Whether these
political initiatives of the Commission will provide for practical
solutions short term is yet to be seen.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.