On 6 October 2015, the Court of Justice of the European Union ("ECJ") invalidated the European Commission Safe Harbour Decision (Case C-362/14 (Maximilian Schrems v. Data Protection Commissioner)). The ECJ judgment came only weeks after the Advocate General had published his opinion in this case (See, VBB on Business Law, Volume 2015, no 9, p. 10, available at www.vbb.com).
Under EU Directive 95/46/EC (the "Data Protection Directive"), personal data must not be transferred to a recipient outside the EEA unless such a recipient is located in a country which is deemed to provide an adequate level of protection (Article 25(1) of the Data Protection Directive). This decision on "adequacy" is made by the European Commission in accordance with Article 25(6) of the Data Protection Directive. For instance, in Decision 2000/520, the European Commission decided that the US Safe Harbour Privacy system ensures an adequate level of protection for personal data transferred from the EU to companies established in the US.
The Safe Harbour system includes a series of principles concerning the protection of personal data to which US companies may subscribe voluntarily. Many US companies have signed up to the Safe Harbour scheme and transfer personal data from the EU on the basis of Decision 2000/520.
The role of national data protection authorities
In the judgment of 6 October 2015, the ECJ first assessed the role of national data protection authorities with regard to the Safe Harbour adequacy decision.
The ECJ held that, in principle, a decision of the European Commission on the basis of Article 25(6) of the Data Protection Directive is binding on all Member States. However, the ECJ also considered that national data protection authorities must be able to examine with complete independence whether the transfer of a person's data to a third country satisfies the requirements laid down by the Data Protection Directive. The European Commission decision on Safe Harbour therefore does not prevent the national data protection authority from examining a claim that would cause the mentioned decision to become invalid.
Nevertheless, a national data protection authority cannot invalidate the European Commission decision. Indeed, the ECJ reminded that it is exclusively competent to invalidate a European Commission decision.
Therefore, the ECJ recommends national data protection authorities to bring a case before national courts and refer questions to the ECJ for a preliminary ruling if an adequacy finding of the European Commission is liable to be declared invalid.
Safe Harbour decision invalidated
Although this was not explicitly requested by the referring court, the ECJ also assessed the validity of European Commission Decision 2000/520. In particular, the ECJ sought to determine whether Safe Harbour provides essentially similar protection as in the EU and reached the conclusion that this was not the case.
First, the ECJ considered that Safe Harbour only includes self-certified companies. Other entities, including public US bodies, do not have to comply with the Safe Harbour principles. Accordingly, the ECJ found that the Safe Harbour regime does not grant essentially the same protection to personal data as EU data protection law.
The ECJ further maintained that US procedures do not allow for judicial or administrative means of redress, as required under Article 47 of the EU Charter of Fundamental Rights and therefore do not afford the level of judicial protection expected by EU citizens. According to the ECJ, the European Commission Decision 2000/520 also limits the powers granted to national data protection authorities under the Data Protection Directive.
As a result, the ECJ stepped in and declared European Commission Decision 2000/520 to be invalid.
Consequences and reactions
Since the Safe Harbour decision was declared invalid, this will have an immediate effect on transfers of personal data between unrelated companies, intra-group transfers of such data, as well as services that companies rely on, such as cloud services. In particular, transfers of personal data from the EU to the US on the basis of the Safe Harbour decision could be prohibited.
Because of the resulting uncertainty, companies may start looking for alternative solutions, such as standard data transfer agreements and Binding Corporate Rules ("BCR"). In addition, companies will have to review their existing contracts with service providers that transfer personal data outside the EU.
In a first response to the ECJ judgment, the European Commission recommended that transatlantic transfers of personal data should be continued on the basis of alternative measures or derogations contained in the Data Protection Directive. The European Commission also promised to provide guidance to national data protection authorities to address questions regarding international transfers in a harmonised manner.
The Article 29 Working Party ("WP29"), an independent European advisory body on data protection and privacy comprised of a representative of the national data protection authorities of each EU Member State, issued a press release following the judgment in which it called for a harmonised approach. In an attempt to allow companies to comply with the invalidation of the Safe Harbour decision, it indicated that no enforcement action in this regard would be taken before the end of January 2016. By contrast, a separate press release from the German data protection authorities appears not to exclude such enforcement action.
On 29 October 2015, the European Parliament adopted a Resolution which welcomes the ECJ judgment and urges the European Commission to assess its legal impact on other instruments, including the recent EU-US umbrella agreement. The EU-US data protection "Umbrella Agreement" puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation. The EU and US authorities reached a political understanding on this Umbrella Agreement in September 2015.
The ECJ judgment also puts pressure on the US Federal Trade Commission and the European Commission which are currently negotiating a "new" Safe Harbour framework. In addition, this judgment is likely to have an impact on the draft General Data Protection Regulation which is in the final stages of the legislative process.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.