As anticipated by our earlier article (published on October 2, 2015) “EU U.S. Data Protection: The Safe Harbor Framework Under Attack”, Europe’s highest court, the Court of Justice of the European Union (CJEU), has followed Advocate General Bot’s non-binding opinion of September 23, 2015, and has declared that the European Commission’s decision 2000/520 regarding the U.S.-EU Safe Harbor scheme (the 2000 Decision) is invalid, and that national supervisory authorities may proceed to evaluate whether a given country ensures an adequate level of protection of personal data (in the case of the U.S., notwithstanding participation in the Safe Harbor scheme). The CJEU’s judgment is available here.
The EU Data Protection Directive 95/46/EC (the Directive) permits transfers of personal data from a country within the European Economic Area (the EEA) to a country outside the EEA (a third country) if that third country ensures an adequate level of protection of the personal data. The Directive also permits transfers to any third country in respect of which the Commission has made a positive finding of adequacy. Pursuant to the Directive, the Commission stated in its 2000 Decision that personal data can be transferred to recipients in the U.S. which have signed up to the U.S.-EU Safe Harbor scheme.
Yesterday’s finding by the CJEU was made in the context of the on-going case in the High Court of Ireland brought by Austrian student, Max Schrems, against the Irish Data Protection Commissioner (the data protection supervisory authority of Ireland). Mr. Schrems challenged the Irish Data Protection Commissioner’s assertion that it was prevented by the 2000 Decision from investigating Mr. Schrems’s allegation that certification under the U.S. Safe Harbor scheme did not provide an adequate level of protection for his personal data transferred by Facebook Ireland Limited to servers in the U.S. The High Court of Ireland made a request to the CJEU for a preliminary ruling as to whether the 2000 Decision prevented national supervisory authorities from investigating an individual’s claim that a third country does not provide an adequate level of protection of data, including in circumstances where the Commission has made a finding of adequacy.
The CJEU held that the 2000 Decision does not prevent a supervisory authority of a Member State from examining an individual’s claim that the law and practices in force in a third country to which their personal data has been transferred do not ensure an adequate level of protection. Moreover, the CJEU has also held that the 2000 Decision fails to comply with the requirements of the Directive and is therefore invalid.
Yesterday’s judgment has wide-ranging implications for those European and U.S. entities that rely on the Safe Harbor scheme. The UK’s Information Commissioner’s Office has issued a statement in response to the judgment, stating, “The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the U.S. is transferred in line with the law. We recognise that it will take them some time for them to do this.”[sic]
It is important to remember that there are alternative options for the transfer of personal data to the U.S. (as well as other countries). If the transfer is between companies belonging to the same multinational corporate group, then the group may rely on binding corporate rules that have been approved by the relevant national supervisory authorities. Transfers may also be made to third countries if the individual to whom the data relates has given their clear consent to the transfer. All of that said, the judgment by the CJEU may well open the floodgates to claims from individuals with regards to adequacy of protection (i) in third countries as to which the Commission has made a finding of adequacy, and (ii) potentially also Commission-approved Model Contractual Clauses.
The Commission has been in negotiations with the U.S. for over a year on how to improve the current Safe Harbor framework: today’s findings highlight the urgent need for a new framework for the transfer of personal data from the EU to the U.S. in accordance with EU data protection legislation. The European Parliament’s Civil Liberties Committee Chair, Claude Moraes, has stated, “The decision by the European Court of Justice today, declaring the invalidity of the Safe Harbor agreement, forces the European Commission to act in order to ensure that transatlantic transfers of personal data of EU citizens to companies in the US offer the continuity of protection required by EU law and come up with immediate alternative to Safe Harbor.”
In the meantime, both European and U.S. entities should ensure that they are taking practical measures to safeguard the security of personal data transferred to them from the EEA. Companies should review and, as appropriate, bolster obligations relating to the safeguarding of personal data in contractual arrangements with data processors and controllers in the U.S., including obligations on these parties to maintain data handling, information security, and breach response policies and procedures, and measures for validation of systems and controls, including the right to audit such policies and procedures. At this stage, the Model Contract Clauses remain a valid means of transferring personal data outside of the EEA, but these should be bolstered by independent contractual provisions as necessary to ensure that any invalidity determination would leave the contractual obligations intact.
From a U.S. perspective, ensuring that your company has executed and implemented written policies and procedures addressing the handling, retention, security, use and deletion of EU personal data (including employee data, customer data, and personal data about potential leads and others) sent to the U.S. has now become even more imperative. In the event of a challenge as to the adequacy of protection afforded to EU personal data held by the U.S. offices of a company, the ability to point to these policies and their concrete implementation will, we believe, go a long way towards establishing the company’s commitment to the safeguarding of EU personal data, regardless of the selected method of formal compliance with EU cross-border transfer requirements.
A reference for a preliminary ruling allows the courts of Member States of the European Union to refer questions to the CJEU about the interpretation of European Union law and/or as to the validity of a European Union act. It will now be for the High Court of Ireland to make a decision in the case brought by Mr. Schrems against the Irish Data Protection Commissioner in accordance with the Court’s decision. Notably, the CJEU’s judgment will also be binding on other national courts and tribunals in the European Union in which similar issues are raised.