Keywords: CJEU, transfers, personal data, Safe Harbor
In its judgment of October 6, 2015 (Case C-362/14) the Court of
Justice of the European Union ("CJEU") held that
transfers of personal data of European citizens to the United
States made under the so-called Safe Harbor scheme are subject to
significant risks, and declared the corresponding decision of the
European Commission to be invalid. As a consequence, EU entities of
U.S. companies so far relying on Safe Harbor will need to revise
their practice of submitting personal data to the U.S. to comply
with EU data protection law.
The background to this CJEU ruling was a complaint lodged by
European Facebook user Maximilian Schrems with the Irish data
protection authority. Facebook Ireland, the company's European
headquarters, transfers the data of its subscribers to the servers
of its parental company in the U.S. Mr. Schrems argued that the law
and practices of the United States offered no real protection
against U.S. surveillance of his data. The Irish authority rejected
the complaint relying on the "Safe Harbor"
decision of the European Commission of July 26, 2000
(Decision 2000/520/EC). Safe Harbor is a U.S. government framework
containing a set of principles on the treatment of sensitive
personal data of EU citizens. According to the Commission's
decision, it is assumed that an adequate level of data protection
is guaranteed where U.S. companies agree to comply with these
principles. In the Irish authority's opinion, national
authorities should thus be prevented from launching investigations
into data transfers covered by the Safe Harbor scheme. The case was
brought before the High Court of Ireland, which further referred it
to the CJEU.
The key elements of the CJEU ruling are as follows:
- Primarily, the CJEU held that a Commission decision finding that a third country ensured an adequate level of data protection could not reduce the national supervisory authorities' investigative and banning powers granted by EU law. The Member States had to be able to take the measures necessary to safeguard the fundamental right to the protection of personal data under the Charter of Fundamental Rights of the EU. This required the national data protection authorities to have the means to launch their own investigations and make their own interim determinations about "adequacy" in matters already decided upon by the Commission and to refer those matters to national courts. A binding effect of decisions adopted by the Commission would inevitably limit this total independence.
- Furthermore, the CJEU explicitly declared the Commission's decision 2000/520/EC to be invalid. In the eyes of the CJEU, owing to its lack of guaranteed protection, the Commission's decision did not satisfy the requirements of EU data protection law. This finding is mainly based on the fact that the Safe Harbor scheme was applicable solely to the U.S. undertakings which adhered to it, and U.S. public authorities were not themselves subject to it. The court added that legislation permitting the public authorities to have access to the content of electronic communications on a generalized basis would have to be regarded as compromising the essence of the fundamental right to respect for private life. Likewise, legislation not providing individuals with any possibility to pursue legal remedies in order to have access to personal data relating to them or to obtain the rectification or erasure of such data compromised the essence of the fundamental right to effective judicial protection.
Whether one agrees with the CJEU's findings or not, this
judgment will have an enormous impact on international
companies' practice of processing personal data.
Data transfers to the U.S. are now associated with high
legal uncertainty. It will no longer be possible to rely
on the status of (currently around 4,500) U.S. companies partaking
in the Safe Harbor scheme to justify data transfers. In general,
U.S. companies dealing with personal data of EU subjects will have
to individually assess their respective legal data protection
programs. Moreover, the total independence of 28 different national
supervisory authorities might lead to significant differences in
interpretation and application of EU data protection law within
Europe. Additionally, the ruling is likely to affect not only data
transfers to U.S. companies, but also to other countries which the
Commission has previously considered to have adequate data
protection regimes. These two aspects could possibly result in a
situation where some recipient countries or methods of transfer are
accepted by data protection authorities in some European countries
but not in others until the CJEU has ruled on any question referred
to it. This would make it very difficult for companies to transfer
personal data out of the EU in a uniform way, requiring them to put
different mechanisms in place in each EU Member State.
The most obvious way for U.S. companies to deal with these
consequences might be the use of accepted Standard
Contractual Clauses. Additionally, with regard to the
employee data transfer at international companies in particular,
the implementation of Binding Corporate Rules
might be a possibility to comply with applicable EU data protection
law. Nevertheless, the CJEU ruling could set a precedent that
allows data protection authorities to question data transfers under
these schemes, given that they as well have been considered
appropriate by the Commission. A third way of justifying the
transfer of EU citizens' personal data to the U.S. might be the
individual consent of each data subject concerned. The
practicalities of the latter, however, remain to be seen
considering the variety of national legislation on this question
across Member States.
Moreover, it remains unclear whether these alternatives will
satisfy national data protection authorities given the potential
for conflicting legal process issued by U.S. law enforcement and
intelligence agencies.
Some of the Safe Harbor scheme's shortcomings addressed in the
CJEU ruling might be mitigated by the so-called
"Umbrella Agreement" the U.S. and the EU
have been negotiating. The agreement is supposed to provide a new
framework for data protection, and it is to be expected that the
CJEU ruling will have an impact on the negotiations. Part of this
framework is the U.S. "Judicial Redress Act of
2015" which is supposed to grant EU citizens access
to redress before U.S. courts against unlawful data processing by
government agencies. However, Congress has not enacted the
legislation yet. Furthermore, due to the complexity of the subject
matter and the exacting requirements set forth by the CJEU, it
remains unclear for now whether all aspects of the CJEU ruling will
be addressed even if the legislation and the Umbrella Agreement are
implemented.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2015. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.