The Court of Justice of the European Union (“CJEU”) has decided that the Safe Harbor framework, which has regulated transfers of personal data from organisations based in the EU to US participating recipients since 2000, is invalid and must be suspended with immediate effect.
- outline the impact of the decision
- explain what this decision means in practice for organisations in the EU and US
- analyses Schrems v. Data Protection Commissioner, the case which led to this decision
- examine what might happen next
What is the impact of the CJEU’s 'Safe Harbor' decision?
Given that the Safe Harbor framework is now invalid, any transfers of personal data from the EU to the US participating organisations that took place on the basis of the framework are unlawful.
EU-based organisations and US participating recipients relying on the Safe Harbor framework must immediately find an alternative means of justifying the data transfer, otherwise the transfer is illegal and subject to challenge.
It is likely that national data protection authorities within the EU Member States, including the Information Commissioner’s Office in the UK, will give organisations time to put alternative mechanisms in place.
What do organisations need to do now?
If your organisation transfers personal data to US participating organisations or is a US-based service provider to EU organisations that formerly relied on the Safe Harbor framework, it needs to take steps to find alternative mechanisms to legitimise data transfers.
First, it can make a self-assessment as to the adequacy of US data protection laws from legal, political and economic perspectives, which is not recommended following on from the CJEU’s decision and the level of risk involved.
It can also seek to adduce "adequate safeguards" - a lesser standard than adequate protection but still acceptable under EU Data Protection law - by using either the European Commission's model data transfer clauses or their own clauses, whether standalone or incorporated into a wider commercial agreement.
A third possibility for larger, international organisations is to rely on internal "binding corporate rules" or data protection policies / codes of conduct to justify the transfer, which must be approved in advance by the Information Commissioner's Office for UK-based organisations. Approval can take up to 12 months.
Why has Safe Harbor become exposed?
Mr Schrems is an Austrian national who uses Facebook. Any person within the EU who wishes to use Facebook must agree to the terms and conditions of Facebook Ireland, the EU subsidiary of Facebook Inc., the US parent company. Facebook Ireland transfers the personal data of its EU users to servers belonging to Facebook Inc. in the US, where it undergoes processing.
EU Data Protection law provides that personal data may not be transferred to a country outside the EU, unless that country ensures an adequate level of data protection. In 2000, the European Commission issued a decision determining that the Safe Harbor framework, which was agreed between the EU and the US, provides an adequate level of data protection for transfers of personal data from EU organisations to US participating recipients. Over 3,000 US organisations participate in the Safe Harbor framework, including Facebook, Google and Microsoft.
Mr Schrems contended that, despite the European Commission’s decision that the Safe Harbor framework offers adequate protection, the fact that any personal data transferred to the US would be likely to be subject to mass surveillance and mining by US intelligence agencies following the Snowden revelations means that US organisations participating in the Safe Harbor framework, including Facebook, could not be regarded as providing adequate levels of data protection. Mr Schrems therefore requested the Irish data protection authority to exercise its powers to prohibit the transfer of personal data by Facebook Ireland to Facebook Inc.
The matter eventually escalated to the Irish High Court, which took the view that Mr Schrems essentially raised issues as to the legality of the European Commission’s adequacy decision on the Safe Harbor framework and referred the matter to the CJEU for determination. The Irish High Court asked the CJEU to determine whether in considering a complaint from an individual that a country does not provide an adequate level of data protection, a national data protection authority is bound by a European Commission adequacy decision or if it is entitled to conduct its own investigation and come to a view, based on the factual circumstances that have arisen in the interim since the European Commission’s decision was issued.
What did the CJEU decide?
The CJEU determined that it is not for the national data protection authorities to decide whether a Commission adequacy decision is valid. Only the CJEU has the power to declare such a decision invalid. However, that is not to say that a person cannot make a complaint to a national data protection authority, alleging that the transfer of their personal data to a non-EU country subject to a European Commission adequacy decision will breach their data protection rights, and require the authority to investigate “with all due diligence”. If the national data protection authority does not agree with the individual’s submissions, the individual must be entitled to challenge the authority’s decision in the national courts, who may refer the matter to the CJEU where the individual’s grounds of invalidity are well-founded. On the other hand, where the national data protection authority agrees with the individual, the authority must be able to engage in court proceedings at the national level with a view to having the matter referred to the CJEU for determination.
The CJEU then went further and considered the validity of the European Commission’s Safe Harbor decision. While this was beyond the scope of the Irish High Court’s referral to the CJEU, the CJEU felt that this was necessary “in order to give the referring court a full answer”.
The CJEU considered that in deciding whether a non-EU country offers adequate data protection, the European Commission must consider the content of the applicable rules in that country, consisting of its national law and the international commitments that it has entered into and the mechanisms in place to ensure compliance with those rules. The European Commission must also regularly review whether the initial adequacy decision remains “factually and legally justified”, particularly where evidence has come to light after the decision’s adoption that casts doubt on the original decision.
The CJEU took the view that the European Commission’s Safe Harbor framework adequacy decision only concerns the protection offered by the framework itself, without reference to the national and international commitments that the US has entered into. In addition, the CJEU noted that the decision provides that national security, public interest and law enforcement considerations can overrule the Safe Harbor framework, in effect subjugating the rights of individuals whose personal data has been transferred to a US participating organisation to these considerations.
The CJEU further noted that the European Commission’s adequacy decision does not contain any safeguards designed to limit interference with EU individuals’ rights by US intelligence agencies and there are inadequate enforcement mechanisms on which EU individuals can rely to challenge any such interference or by which individuals may access, rectify or have erased personal data relating to them. In the CJEU’s view, any such interference must be restricted to what is absolutely necessary but this was not the case under the Safe Harbor framework, where US intelligence agencies have unlimited access to personal data received by participating US organisations.
For these reasons, the CJEU found that the European Commission’s adequacy decision in relation to the Safe Harbor framework was invalid.
What does the future hold?
The European Commission has been in negotiations with the US on a revised Safe Harbour framework for over a year, and the CJEU’s decision is likely to hasten the implementation of the new framework.
In the meantime, the European Commission has confirmed that it will provide guidance for organisations in light of the CJEU’s ruling on the available alternative data transfer mechanisms. The EU Data Protection Working Party, which is composed of representatives from the national data protection authorities of the EU Member States, has confirmed that a meeting of experts will also be arranged in Brussels this week to discuss the way forward.