Multi-national companies will need to review their processes and policies for transferring data from the EU to US, after the Safe Harbour scheme was ruled invalid by the European Court of Justice (ECJ). This ruling which has implications for many US and European companies follows a headline-grabbing case led by Max Schrems, a 27 year old Austrian law student.
Pieter de Waal, a solicitor specialising in information rights & data protection with Artington Legal, explains the background and what this means for businesses.
The ‘Safe Harbour’ scheme
Under European privacy laws, personal information held by private companies can only be transferred abroad if the recipient country ensures an adequate level of data protection.
In July 2000, the European Commission decided that the Safe Harbour scheme adopted by the US ensured an adequate level of protection of transferred personal data of EU citizens. This self-certification scheme included a series of principles concerning the protection of personal data to which US businesses could subscribe voluntarily. For example, organisations had to notify individuals about the purposes for which their personal data would be collected and used, and give individuals the opportunity to choose (opt out) whether their personal information would be disclosed to a third party. Organisations also had to take reasonable precautions to protect personal information from loss, misuse and unauthorized access or disclosure.
Why did Max Schrems challenge the Safe Harbour scheme?
Max Schrems is an active campaigner against the data practices of American tech corporates and has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by him to Facebook was transferred from Facebook’s Irish headquarters to servers located in the US.
Mr Schrems lodged a complaint with the Irish Data Protection Commissioner on the basis that the revelations made in 2013 by Edward Snowden concerning the activities of the US intelligence services demonstrated that the US law and practices did not offer sufficient protection against the surveillance of personal data by public authorities in that country.
In the courts
The Irish Commissioner rejected the complaint on the ground that the European Commission had determined in 2000 that, under the Safe Harbour scheme, the US ensured an adequate level of protection of transferred personal data.
The case was brought to the High Court of Ireland, who referred the matter to the ECJ to determine whether the Safe Harbour determination made by the European Commission prevented a national authority (like the Irish Commissioner) from investigating a complaint about adequate levels of protection in the US and from suspending a transfer of data to that country.
On 6 October 2015, the ECJ held that the existence of Safe Harbour did not eliminate or reduce the powers available to a national authority to protect privacy rights. Such an authority, when dealing with a complaint, must be able to examine with complete independence whether the transfer of data to a third country complied with the requirements of European privacy law. However, only the ECJ would have jurisdiction to declare that a decision of the European Commission was invalid. Consequently, where a national authority (or the person complaining to it) considers that a Commission decision is invalid, that authority or person must be able to bring proceedings before the national courts for a referral to the ECJ.
Does the Safe Harbour scheme afford adequate protection for EU citizens?
The ECJ considered whether the Safe Harbour decision made by the European Commission was invalid – did the US effectively ensure, by reason of its domestic law or its international commitments, a level of protection of privacy rights equivalent to that guaranteed within the EU?
The court observed that the Commission had not made such a finding, but merely examined the Safe Harbour scheme. It identified a number of weaknesses in the scheme:
- the scheme was applicable only to US businesses who volunteered to adhere to it;
- US public authorities were not subject to it;
- public interest and the interests of national security and law enforcement in the US prevailed over the Safe Harbour scheme, which meant that US businesses were bound to disregard its protective rules where they conflicted with those interests; and
- the European Commission did not identify any US rules intended to limit such interference or to provide effective legal protection against it.
The court considered that this analysis of the scheme was borne out by two communications issued by the European Commission, permitting US authorities to access personal data transferred from EU Member States and to process that data for purposes that were incompatible with the purposes for which it was transferred and beyond what was strictly necessary and proportionate to the protection of national security. It was also noted that the persons concerned had no administrative or judicial means of redress, particularly to allow them to access, rectify or erase the data.
The court held that EU privacy law was not limited to what is strictly necessary when it comes to authorising general storage of personal data transferred from the EU to the US. There had to be an appropriate and objective differentiation and limitation in the light of the objective pursued. The court added that legislation permitting public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.
Finally, the court found that the European Commission’s decision on Safe Harbour could not deny national authorities, such as the Irish Data Protection Commissioner, the power to determine whether that scheme is compatible with the protection of privacy rights.
The European Court of Justice declared the Safe Harbour decision invalid, with the consequence that the Irish Data Protection Commissioner is now required to consider Mr Schrems’ complaint and to decide whether a transfer of the Facebook data to the US should be suspended on the ground that it does not afford an adequate level of protection of personal data.
Concerns about the Safe Harbour scheme are not new, and negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a more privacy protective arrangement.
However, in the meantime the ruling of the ECJ is significant and has implications for businesses who are members of the scheme and seek to continue to transfer personal data from Europe to the US on a lawful basis.
The judgment makes it clear that they have an obligation to ensure adequate protection when the data leaves the EU. This means that those businesses will have to review their transfer and processing practices.
It should be remembered that the Safe Harbour scheme is not the only basis on which personal data can be transferred to the US. Many transfers take place based on different provisions and arrangements, and different options are available to ensure legal compliance.
- Binding corporate rules – one option is to adopt ‘binding corporate rules’ to allow multinational groups to transfer personal data to their affiliates outside the EU in compliance with EU law. To be successful, the relevant organisation will have to demonstrate that it has in place adequate safeguards for protecting the data throughout the organisation. However, these rules would not cover the transfer of personal data outside a corporate group.
- EU-compliant model contract clauses – Another option is to execute EU-compliant model contract clauses to transfer personal data to controllers and processors located in countries which do not afford adequate levels of protection. While model clauses may be satisfactory for smaller companies and bilateral data sharing, their wider use in large multinational organisations can be difficult and impractical where the data is to be processed in a wide and complex structure. There is also a requirement to monitor compliance with their terms once they are in place, and they require administrative processes for filing and approval.
The suitability of each solution will depend on the cost-benefit analysis, the type of personal data, and the purposes for which it is to be transferred.
For further information
Pieter de Waal is a Member of the Information Rights Tribunal, which deals with information law cases including freedom of information, data protection and privacy in electronic communications. He was formerly Head of Legal & Company Secretary at the Olympic Delivery Authority.