A recent European ruling has torpedoed the basis on which data has been transferred between the EU and the US. With Safe Harbour no longer a reliable option, Kitty Rosser, associate at Birketts Norwich, looks at the impact of the court case and the alternatives available.
On 6th October 2015, the Court of Justice of the European Union (CJEU) made its landmark ruling in the case of Maximillian Schrems v Data Protection Commissioner (C-362/14) declaring Decision 2000/520 of the European Commission (“the Safe Harbour Adequacy Decision”) invalid. The ruling, which is immediately effective, has caused widespread consternation among the thousands of businesses that have relied on Safe Harbour to validate transfers of personal data from the EU to the US in the 15 years since its introduction.
Under Article 25 of the EU Data Protection Directive (95/46/EC) (“the Directive”), a business may not transfer personal data to a country outside of the European Economic Area unless the recipient country provides an adequate level of protection for that data. This requirement is implemented into UK law as the eighth data protection principle in the Data Protection Act 1998. The European Commission (“the Commission”) has made a positive finding of adequacy in respect of a handful of countries (Andorra, Argentina, Canada, Faeroe islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay) enabling data controllers to transfer personal data to those countries freely and without need to take any further action to ensure compliance with Article 25. The United States is a notable omission from this list of countries.
Despite an overwhelming commercial demand for freedom to transfer data to the US, a finding of adequacy in respect of the US by the Commission has been impossible given the dearth of effective national data protection legislation. Safe Harbour, negotiated between the Commission and US government as a political compromise, enabled transfer of data to the US without necessitating a finding of adequacy by the European Commission.
Under Safe Harbour, US companies agree to adhere to a set of privacy principles (a condensed version of those in the Directive) and submit to enforcement by the US Federal Trade Commission. Once registered under Safe Harbour, a US company is treated as meeting the adequacy requirements in the Directive and data controllers may transfer personal data to that company freely. More than 4,000 US companies have completed the registration process with the US Department of Commerce and now rely on Safe Harbour to enable transfers of data to the US.
Safe Harbour, already the subject of criticism and review, came under fresh scrutiny following Edward Snowden’s 2013 revelations regarding US National Security Agency (NSA) data surveillance practices. EU-US negotiations regarding the introduction of a revised Safe Harbour (dubbed Safe Harbour 2.0) intended to address shortcomings in the existing scheme had been ongoing for two years at the time of the CJEU's ruling.
The case – a factual and procedural overview
Schrems, an Austrian law student, privacy advocate and Facebook user, made a complaint to the Irish Data Protection Commissioner (DPC) seeking to prevent Facebook from transferring his personal data to the US. Schrems argued that US law and practice did not afford adequate protection for his data against the mass surveillance brought to light by Snowden. The DPC rejected Schrems’ complaint as unfounded on the basis that it was bound by the Safe Harbour Adequacy Decision.
Schrems challenged the DPC's decision before the Irish High Court. The court found that, while electronic surveillance and interception of personal data transferred to the US may serve necessary objectives in the public interest, the Snowden revelations demonstrated a “significant over-reach” on the part of the NSA and other US federal agencies. The court also found that EU data subjects have no effective right to be heard as part of the US oversight proceedings. The court considered that the Safe Harbour Adequacy Decision failed to satisfy the requirements of Article 7 (right to respect for private life), Article 8 (right to protection of personal data) and Article 47 (right to a fair trial) of the Charter of Fundamental Rights of the European Union (Charter).
The Irish High Court referred the following questions to the CJEU:
The CJEU’s decision – key findings
The CJEU held that:
The CJEU emphasised that, where the validity of a Commission decision is in question, both national supervisory authorities and individual data subjects must be able to bring proceedings before the national courts so that the case can be referred to the CJEU. As a matter of jurisdiction, only the CJEU may declare a decision of the Commission to be invalid.
The CJEU’s reasoning - why did it find invalidity?
The CJEU did not find Safe Harbour in itself to be invalid. Safe Harbour is still in operation - the US Department of Commerce continues to accept new applications and to issue renewal certificates and those signed up to Safe Harbour are still bound by its principles. What the CJEU found to be invalid was the Safe Harbour Adequacy Decision. Therefore, while Safe Harbour remains in place, businesses can no longer rely on the fact that a US Company has registered under Safe Harbour to satisfy the adequacy requirements under Article 25 when transferring data to the US.
In considering the validity of the Safe Harbour Adequacy Decision, the CJEU determined that the Commission was required to find that the US ensures, through its domestic laws or international commitments, a level of protection of data subjects’ fundamental rights equivalent to that guaranteed by the Directive read in light of the Charter.
The CJEU observed that Safe Harbour is based on voluntary self-certification, is only applicable to those US undertakings that agree to adhere to it, and that US public authorities are not subject to Safe Harbour. The CJEU particularly noted that US national security requirements take priority over Safe Harbour so that any US undertakings certified under Safe Harbour are bound to disregard the Safe Harbour principles where they conflict with any US national security, public interest or law enforcement requirements.
US legislation allows US public authorities access, on a generalised basis, to data transferred to the US without qualification or limitation by reference to specific objectives or objective criteria. Under US legislation, a data subject has no rights to access data or to obtain rectification or deletion of data. Finally, the CJEU found that the Safe Harbour Adequacy Decision restricts certain powers granted to national authorities under the Directive.
The CJEU concluded that fundamental rights of data subjects under the Charter had been compromised and that the Safe Harbour Adequacy Decision must therefore be declared invalid.
Alternatives to Safe Harbour
The Article 29 Working Party (an advisory body established by the Directive) released a statement following the ruling confirming that transfers taking place under Safe Harbour are now unlawful. Although negotiations for Safe Harbour 2.0 are continuing, it is uncertain when these will reach a conclusion. In the longer term, it is entirely possible that businesses will be able to look to Safe Harbour 2.0 to validate EU-US data transfers. But those which wish to continue transferring data to the US in the interim need to start reviewing and implementing alternative measures as soon as possible.
Alternative measures under the Directive include:
EU model clauses: The Commission has approved standard contractual clauses for both controller-to-controller and controller-to-processor data transfers. For many, implementation of model clauses will offer the most realistic alternative to Safe Harbour, though any business planning on adopting this measure should take time to fully understand how the model clauses work and the obligations they impose. The following issues are particularly noteworthy:
Binding corporate rules - BCRs allow multinational groups to make intra-group cross-border data transfers in compliance with Article 25. Those considering implementation of BCRs should take note of the following:
It should be noted that commentators and data protection authorities alike have been quick to voice concerns that both BCRs and model clauses could face findings of invalidity on the same grounds as Safe harbour. The German data protection authority for the state of Schleswig-Holstein has adopted a particularly hard-line approach, releasing a public position statement in which it advises that use of model clauses can no longer be permitted and makes explicit reference to its powers to impose fines of up to €300,000 for breach of German data protection laws.
The Article 29 Working Party acknowledged in its own statement that there are genuine concerns regarding the use of model clauses and BCRs following the ruling, but nevertheless encourages businesses to look to these as an alternative solution to Safe Harbour. As matters stand, it would appear that model clauses may be the only realistic alternative for many businesses in the short term. But those relying on them as an alternative to Safe Harbour would be well advised to continue to closely monitor the situation and be prepared for that fact that further change may be required in then future.
Derogations - Data transfers can be made to third countries without regard to the adequacy requirements in any of the following apply:
Use of the derogations will need to be carefully reviewed in each case, bearing in mind guidance issued by the Information Commissioner regarding their use. For example, while consent may appear at first glance to be a convenient solution, it is clear from the guidance that not only may it be difficult to obtain appropriately informed consent, but that consent is not viewed as a viable option for long-term structured data transfers. However, depending upon the business model, derogations can provide a useful source of solutions, at least as an interim measure.
On a more practical note, businesses are advised to review their operational procedures and consider whether opportunities exist for addressing compliance issues through operational changes, such as switching to alternative suppliers within the EEA or anonymising data.
Next steps – a practical checklist
At this stage, further guidance is still awaited from data protection authorities and, while it cannot be ruled out, no immediate enforcement action is anticipated. However, businesses do need to review their positions as a matter of priority and at least identify, if not yet actively implement, new compliance measures. The following steps may assist businesses in this process: