Top EU Court Finds EU-US Personal Data Transfers Not Safe Enough

– A more detailed view on the Schrems case

An idea first expressed in a law school paper has been taken up by the EU. On 6th October 2015, the Court of Justice of the European Union (CJEU) ruled in the case of Maximillian Schrems vs Data Protection Commissioner (case C-362/14) that the EU-US Safe Harbour decision was invalid. In its decision the CJEU followed the opinion of Advocate General (AG) Yves Bot, saying that indiscriminate data collection by US authorities is incompatible with adequate protection of personal data under EU law.

Data protection authorities of EU Member States may suspend the transfer of personal data from their states to the US if they find that data is not adequately protected. This can affect global companies running social networks, but also online retailers, businesses providing cloud storage services, and those transferring their human resources data to the US, such as Facebook, Google, Amazon, and many smaller ones (see list).

EU personal data protection law and transfers to third countries

In the EU, the protection of personal data is anchored in Article 8 of the Charter of fundamental rights. Even though national laws may vary, all EU Member States must protect personal data in accordance with the EU Data Protection Directive (Directive 95/46). Transfer of personal data from the EU to a third country may only take place if ‘the third country in question ensures an adequate level of protection’ (Article 25(1)) and in general this principle will also apply with the future General Data Protection Regulation (GDPR), according to Articles 40ff of the Commission’s proposal for the replacement of the 1995 Directive.

Under Article 25(6) of the 1995 Directive, the European Commission may find that a third country ensures an ‘adequate’ level of protection by reason of its domestic law or of the international commitments it has entered into for the protection of the private lives and basic freedoms and rights of individuals. The Commission then may issue a decision to that effect (Article 25(1)).

So far, such a finding has been issued with regard to 12 countries and territories, including New ZealandCanada, and Guernsey. According to all but one of these decisions, the competent authorities in EU Member States may exercise their existing powers to suspend data flows to a recipient in the third country. This way, individuals will be protected with regard to the processing of their personal data in cases where there is a substantial likelihood that the standards of protection are being infringed.

The decision regarding the US from 2000 (the ‘Safe Harbour decision’) was the only one where this power of EU Member States’ authorities was watered down to reviewing the voluntary adherence of US businesses to seven principles attached to the decision.

These principles could, however, be overruled by US domestic law, so the EU Member States’ authorities would be unable to suspend data flows even in case of serious mishandling of the data by US public authorities such as bulk collection of the transferred data in US national interest.

This state of affairs was criticised by the European Commission itself after the Snowden revelations, and these communications by the European Commission – COM/2013/0846 final and COM/2013/0847 final – were actually used by the CJEU in the Schrems case as one of the proofs of US bulk data collection.

The Schrems case

The Austrian plaintiff, Max Schrems, lodged a complaint against Facebook Ireland with the Irish Data Protection Commissioner (DPC) arguing that, contrary to the Safe Harbour decision, his data was not being protected from access by the US National Security Agency (NSA) when transferred to US servers. In view of the Snowden revelations, Schrems doubted the effective protection of his personal data.

After the DPC stated that there was no duty for her to investigate and thus refused to examine the complaint, the plaintiff filed an application for judicial review in the Irish High Court, which adjourned the case pending a reference to the CJEU. The High Court requested clarification on the question of:

‘whether the Safe Harbour decision has the effect of preventing a national supervisory authority [in this case Ireland’s DPC] from investigating a complaint alleging that the third country [in this case the US] does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data’.

The judgment of the CJEU clarified that a Commission decision aimed at adequately protecting the citizens’ personal data does not abolish the control mandate and power of an EU Member State’s national supervisory authority (¶53). The Court remarked that the guarantee of the independence of national supervisory authorities follows the intention to ensure the effectiveness and reliability of the monitoring of compliance with data protection rules (¶41). It also recalled EU case-law under which the European Union is a union based on the rule of law, meaning that all acts of its institutions are subject to review of their compatibility with, inter alia, the fundamental rights detailed in Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union) (¶60). Finally it stated that in such a case as this, it is incumbent upon the national supervisory authority to examine the claim with all due diligence (¶63). Therefore the Safe Harbour decision could not be exempt from such a review.

The invalidation of the Commission decision by the CJEU is based on several reasons. Firstly, the CJEU held that the Commission only examined the Safe Harbour scheme and did not determine whether the US in fact ensures a level of personal data protection equivalent to that guaranteed in the EU (¶83). Solely US organisations voluntarily adhering to the scheme are bound by the principles set out in the decision, whereas the US public authorities are not required to comply with them (¶82), because US national security, public interest, or law enforcement requirements have primacy over the Safe Harbourprinciples (¶86). This enables interference with the fundamental rights of people whose personal data is or could be transferred from the EU to the US (¶87). There were no findings in the Safe Harbour decision on US laws or treaties that would limit this interference (¶88), provide effective legal protection (¶89), or provide individuals with legal remedies (¶95).

The CJEU noted that the Commission’s own assessment in its communication of the situation (COM (2013) 846 final) revealed that US authorities were able to access personal data transferred from EU member states to the US, and the processing of personal data went beyond the scope of what was necessary and proportionate for reasons of national security (¶90).

In short, the Court highlighted that the Commission failed to require that the US ensures an adequate level of protection by reasons of its domestic law or international commitments which by itself was enough for the CJEU to invalidate Article 1 of the Safe Harbour decision (¶98).

Secondly, the CJEU stated that Article 3(1) of the Safe Harbour decision denies the national supervisory authorities the powers to take action to ensure compliance with Article 25 of Directive 95/46 (¶¶101-102). In adopting such a limitation, the Commission ‘exceeded the power which is conferred upon it in Article 25(6) of Directive 95/46’ (¶104), and consequently, CJEU ruled Article 3 of the Safe Harbour decision invalid.

As Articles 1 and 3 of the Safe Harbour decision are inseparable from the rest of the decision, the CJEU invalidated the whole decision (¶¶105-106).

Consequences and First Reactions

For all intents and purposes, the US lost its privileged status under Article 25 of Directive 95/46 and its undertakings will have to follow the same rules as those of any third country. The judgment took away the most important basis for personal data transfers from the EU to the US with the consequence of current legal uncertainty on how business affected by the decision should now continue the handling of data.

The Commission’s Vice President Timmermans and Commissioner Jourová tried to allay fears in a press conference on the same day as the CJEU issued its judgment. They both welcomed the judgment, saying that it confirmed the Commission’s position on renegotiating the Safe Harbour, but they also stated three priorities of the Commission: first, to guarantee the protection of EU citizens’ data transferred across the Atlantic; second, the continuation of transatlantic data flows, as they are important for the European economy; and third, to coordinate the response of national data protection authorities in the EU with regard to the transfers of data.

According to Timmermans, ‘transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under EU data protection law’. Jourová added that these mechanisms include standard contractual clauses and binding corporate rules, and some of the derogations listed in Article 26 of Directive 95/46, especially the free and informed consent of an individual.

According to Schrems’ first reaction after the verdict, while the average internet user might not feel any difference when providing personal data online, many companies (see the full list including Apple, AOL, Google, Microsoft) which adhered to the Safe Harbour principles will ultimately have to face the legal consequences of this judgment.

The Commission and the national data protection authorities, convening in an emergency meeting of the Article 29 Working Party, issued a statement on 16 October 2015, shedding some light on their position and plans. The Working Party urges the EU member states and European institutions to try to negotiate a solution with the US which would enable the transfers while respecting fundamental rights. The ongoing renegotiations of the new Safe Harbour could be a part of this solution. Nevertheless, if no appropriate solution is found by the end of January 2016, the data protection authorities may take unspecified ‘coordinated enforcement actions’.

According to the Working Party, standard contractual clauses and binding corporate rules can still be used, even though they will not prevent data protection authorities from investigating individual complaints. The Working Party stated that EU data protection authorities will inform the businesses that used to rely on the Safe Harbour decision appropriately, and it concludes with a warning that businesses should reflect on the eventual risks of transferring data and should put in place legal and technical solutions in a timely manner.

Way Forward

Companies might thus want to solve this situation by setting up standard contractual clauses or bind themselves to corporate rules. But this practice might prove fruitless because the verdict impacts on the validity of these measures as well, even though they would aim to provide guarantees for adequate protection (see also here). The US national authorities would still not be bound by any of the agreed provisions between the US company and their customers and if law does not change quickly within the US, companies will still have to hand over data to the authorities. The standard contractual clauses and binding corporate rules also include provisions to the effect that the subjects of personal data protection can directly enforce their rights with respect to the companies processing or controlling their data. If these companies cannot assure the level of protection envisaged by Directive 95/46, they could face numerous complaints and litigation, including class actions, in the EU member states. Also, binding corporate rules are tailor-made documents, which can make them prohibitively expensive for some companies.

Some companies might feel encouraged to set up their data centres within the EU and process data there to avoid the transfer dilemma but financial considerations might prevent some companies, especially SMEs, from taking this step. Also, the US authorities have in the past tried to assert jurisdictiondirectly over data physically located in the EU (the Microsoft Ireland case), if that data was ‘controlled’ from the United States. The EU or European national authorities may reply by asserting more control over the transfer of data from the EU.

Regarding the EU-US relations, the CJEU judgment seemingly gives more negotiating power to the Commission and the feeling of urgency to the US for the ongoing renegotiations of a new Safe Harbour. However, more likely, the conditions set down in the judgment may be impossible for the US to fulfil without amending its domestic legislation, and the negotiations could stall. Nevertheless, the negotiations concerning the EU-US Data protection umbrella agreement recently showed that the US can be willing to give citizens more rights. Article 19 of the now finalised document includes the rights of EU citizens to redress in a US court. Despite the different scope of this umbrella agreement, it could be a sign of the EU being capable of achieving a similar clause in the re-negotiations of Safe Harbour, enabling EU citizens to seek judicial remedy.

The case itself and the judgment send out a clear signal to third countries like the US that EU data protection level is non-negotiable, and that EU citizens are no longer willing to condone access to their personal data by prying governments, and highlighting the readiness to stand up for protecting their fundamental right to privacy. The verdict makes it clear that decisions regarding third countries concerning the transfer of personal data to those countries must comply with the whole set of personal data protection provisions under EU law. It is up to the EU Member States and their data protection authorities in particular, whether they will now focus on investigating EU-US data transfers in more depth.

Interestingly, the other Commission decisions pursuant to Article 25(6) of the Directive 95/46 contain a very similar wording to the Safe Harbour decision (compare Article 2 of the decision regarding New Zealand). Hence, the argument from ¶¶99-106 of the CJEU judgment also raises doubts about their validity. Since the countries whitelisted by the Commission as ensuring adequate data protection include Canada and New Zealand, which are alleged to have engaged in mass surveillance and shared intelligence with the US via the Five Eyes alliance, more similar cases before European domestic courts and the CJEU are to be expected.

Lorena Trinberg and Tomáš Minárik

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.