When the Court of Justice of the European Union (CJEU) handed down its judgment in Maximillian Schrems v. Data Protection Commissioner, legal and business communities alike rushed to understand the implications of the shock ruling.
The decision states that:
- a Commission decision on the ‘adequate protection’ offered by a non-EU member state cannot exclude or reduce the powers available to national data protection authorities to examine complaints brought to them by data subjects; and
- data protection authorities do not, themselves, have the power to invalidate a Commission decision. However, data protection authorities and data subjects can refer questions of validity to national courts, which, in turn, can refer the question to the CJEU. The CJEU does have the authority to declare Commission decisions to be invalid.
The CJEU also finds the Commission’s US Safe Harbor Decision to be invalid because:
- the decision contains a derogation which allows safe harborites to share data for national security purposes. However, the agencies with whom data are shared fall outside the safe harbor scheme and the Safe Harbor Decision does not address whether there is adequate protection for personal data so processed; and
- the Safe Harbor Decision sets too high a bar for data protection authorities to be able to intervene. This undermines the independence of data protection authorities. The Commission does not have the authority to do this.
Maximillian Schrems (an Austrian citizen) has been a Facebook user since 2008. Non-US Facebook users contract with Facebook Ireland, which, in turn, transfers such user data to its US servers.
Concerned by the Snowden 2013 revelations, Schrems complained to the Irish Data Protection Commissioner and asked the Irish Commissioner to investigate whether there was adequate protection for data transferred in this way.
The Irish Commissioner rejected this complaint on the basis of Commission decision 2000/520/EC of 26 July 2000 (the ‘Safe Harbor Decision’). This provides that data may be transferred to US companies which participate in the ‘Safe Harbor’ scheme, on the basis that the scheme provides ‘adequate protection’. The Irish Commissioner considered that he was, in effect, bound by this finding.
Schrems judicially reviewed the finding of the Irish Commissioner. The High Court of Ireland requested a preliminary ruling on the question of whether or not the Irish Commissioner was absolutely bound by the default position within the Safe Harbor Decision, notwithstanding the need to give effect to rights under the EU’s Charter of Fundamental Rights 2000 (the ‘EU Charter’) and the Data Protection Directive (Directive 95/46/EC).
Judgment of the CJEU:
The CJEU stated that it alone has jurisdiction to declare that an EU act, such the Commission’s US Safe Harbor Decision, is invalid.
Where a national authority or the person bringing the matter before a national authority considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts so that they may refer the case to the CJEU if they too have doubts as to the validity of the Commission decision. It is thus ultimately the CJEU which has the task of deciding whether or not a Commission decision is valid.
Having conducted a review of the Commission’s US Safe Harbor Decision, the CJEU considers it should be invalidated for the following reasons:
- The Safe Harbor Scheme contains a derogation allowing personal data to be processed for US national security, public interest and law enforcement requirements, irrespective of the Safe Harbor principles.
- The Commission itself has admitted in two communications that (i) US authorities are able to access the transferred personal data in a way incompatible, in particular, with the purposes for which it was transferred and to an extent beyond that strictly necessary and proportionate for the protection of national security and (ii) affected individuals currently have no administrative or judicial means of redress enabling the data relating to them to be accessed and, as the case may be, rectified or erased.
- The CJEU referred to the tests set out in the Digital Rights Ireland case (C-293/12 and C-594/12) which addressed the legality of EU data retention legislation and noted that, inter alia, there would need to be clear and precise rules law relating to such activities and that data should only be processed where strictly necessary.
- In 2000, the Commission did not assess whether the US in fact ensured, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the Directive, read in the light of the Charter.
Accordingly, the decision is invalid. The CJEU also confirmed that the Decision restricted the ability of data protection authorities to investigate, by setting the bar for intervention too high. The Directive requires that data protection authorities have independence in their activities and did not authorize the Commission to restrict this right. Accordingly, on this ground as well the CJEU finds the Safe Harbor Decision to be invalid.
With regard to its impact on law enforcement, some critics argue that the CJEU decision may hamper US authorities´ investigations (e.g. US law enforcement agencies that operate overseas) or US litigation that requires personal data processed by US companies in the EU. They fear that this will be restricted when European citizens are involved now that there is no legal basis to justify the data transfer to the US. This would affect, for example, responses to subpoenas, search warrants or so called pre-trial discoveries requiring the provision of EU data to US bodies due to US investigations or litigation.
In our view this fear is not really justified, and we believe that the situation where companies have to respond to subpoenas or are subject to search warrants or pre-trial discovery does not change much in practice since the CJEU decision. This is because from an EU-law perspective (i) Safe Harbor was never used per se to justify the transfer of data to the US but only constituted a tool (among other tools like the so-called EU-Model Clauses) for providing a similar (“adequate”) level of data protection in the US (compared to that of the EU); (ii) data transfers always required further justification (e.g. based on the principle of balancing of interests which is in particular subject to the principles of purpose limitation, necessity of data, data avoidance as well as data minimization). This means that US (parent) companies still have to consider the differences between US law obligations and conflicting European data protection rules – the only difference is that companies can no longer rely on Safe Harbor in this respect (but this applies to US-data transfers in general).
Where law enforcement relies on existing formal procedures agreed between the EU and the US, e.g. the Mutual Legal Assistance Treaties, where requests are not directly addressed to companies but rather to EU authorities, the Safe Harbor decision has also no direct impact (also because such transfers are between public authorities and not private companies). Yet, the decision may have an indirect effect since the underlying criticism of the CJEU may be considered when deciding whether or not a request can be fulfilled (or denied because it is contrary to important public policy). However, the practical impact here may be rather low.
The decision creates significant uncertainty for organizations who rely on Safe Harbor either for their own, internal data transfers, or because they use a service provider which, in turn, relies on Safe Harbor to provide adequacy for its transfers to the US. Alternative methods of addressing data transfers will be needed – such as implementing EU Commission approved data transfer agreements, or obtaining individual consent. Although the decision has invalidated Safe Harbor – with immediate effect – organizations will need to look to the reactions of national data protection authorities to determine how urgently to implement alternative data transfer solutions. For example, the UK Information Commissioner has already issued a measured press release – noting that whilst alternative approaches will be needed, that they will be taking time to assess the situation – including by liaising with other EU data protection authorities.