What are the implications of the Safe Harbour decision?
Schrems v Data Protection Commissioner of Ireland
Max Schrems must be delighted. After a lengthy battle with the Irish Data Protection Commissioner (DPC) he now has some satisfaction. How did the Austrian student battle to get this satisfaction? In June 2013, Schrems complained to the Irish DPC on Facebook’s practice of transferring personal data of users to its parent company in the US. Schrems made these complaints following the widespread revelations that the US National Security Agency (‘NSA’) had been monitoring personal data of Facebook users.
The Safe Harbour principles allowed US companies to effectively self-certify that they met EU standards in terms of processing and securing data. Once a US company was on the Safe Harbour list then the data could be transferred. This allowed the transfer to fall under an exception in the EU Data Protection Directive. Transfers outside the EU are prohibited unless the country to which the data is being transferred provides an adequate level of protection for the data. Safe Harbour was deemed to fulfill this requirement of an adequate level of protection. This made data transfers easy and meant that significant amounts of data were constantly on the move. It’s estimated that over 4,000 companies availed of the Safe Harbour exemption.
However, once that personal data was transferredit fell under the remit of US national security laws and could be intercepted and monitored. In other words, Big Brother was watching, despite the EU data protection principles. Schrems asked the DPC to intervene to prevent Facebook’s Irish company from transferring his data to its US parent. The DPC refused to intervene and referred to the fact that the EU Commission had approved the Safe Harbour framework. Schrems took this to the Irish High Court and the High Court referred the questions raised to the European Court of Justice (CJEU).
CJEU Decision – Safe Harbour Invalid
The CJEU somewhat followed the recommendations of its Advocate General, Yves Bot, and found that local data protection authorities need to satisfy themselves of the adequate level of protection available when data is being transferred outside of the EU regardless of the Safe Harbour framework. The CJEU found that the original Commission decision permitting the Safe Harbour framework was invalid due to the fact that the supremacy of national security laws in the US over privacy meant that the adequate level of protection to be provided was completely overridden. This does not mean that local DPCs can ignore Commission Decisions – it is for the CJEU only to review these decisions.
Implications for Europe & US
The CJEU decision means that the case will now come back to the Irish High Court for a final decision. It is likely the High Court will order that the Irish DPC conduct a full investigation into Schrems’ complaint. Given the budgetary and resource constraints on the Irish DPC this is a mighty big task.
In the meantime, negotiations are ongoing between the US and the EU to come up with an updated version of the Safe Harbour framework. This was in the pipeline anyway before the Schrems CJEU decision, because of concerns around the self certifying nature of the framework. Both sides will now have to ramp up discussions to find a solution. Schrems has put the pressure on.
What should your company do?
It’s not all bad. To answer the questions posed – not all data transfers to the US are now illegal. Safe Harbour was only one way to transfer the data. The EU Commissioner for Data Protection, Vera Jourova has confirmed that transfers can continue stateside once the companies involved have other safeguards in place.
This means companies need to examine what other means they may have to legitimise the transfer of personal data. Companies need to go back to how they have collected the data and what agreements they have entered into with users. Are any of the other exemptions to the general prohibition on transfers applicable? For example:
- Has the data subject given consent?
- Is the transfer necessary to perform the contract with the data subject?
- Is it necessary in order to take steps to enter into the contract with the data subject?
- Are there Model Contracts or Binding Corporate Rules in place which mean the transfer can take place?
Consent to transfer data to the US may now need to be sought. This will be difficult if there was no contract between the processor and the data subject. A new framework is likely to be published in the near future that can deal with the concerns the old framework raised. The Irish DPC will bring the case back to the Irish High Court on 20 October and then press on with any subsequent investigation of Facebook as soon as possible. It is only then that Facebook may have to suspend transfers – if an adequate level of protection is not found. Facebook has already stated that it has other safeguards in place outside of Safe Harbour. The other good news is that cloud computing in Europe and Ireland is likely to get a huge boost as companies with US parents look to store data in the EU and avoid the transfer issue.
For more on rethinking your data transfer strategy, take a look at Eoin O’ Cinneide’s article on the options available to companies here.