Unsafe Harbour? The Schrems Decision and its implications

The decision of the Court of Justice of the European Union in the case of Maximillian Schrems –v- Data Protection Commissioner (C-362/14) was delivered on 6th October 2015.

The Max Schrems case was a preliminary ruling request from the Irish High Court to the Court of Justice of the European Union (the “CJEU”). The Irish High Court case concerns a challenge brought by Max Schrems against the Irish Data Protection Commissioner as to whether it should have taken action and investigated transatlantic transfers of data which were carried out by Facebook via the EU Commission approved “Safe Harbour” system.

EU data protection law ordinarily prohibits transfers of personal data outside of the European Economic Area (the “EEA”) to countries that are deemed not to provide an adequate standard of protection for personal data.  “Safe Harbour” is a US/EU agreed framework (approved by way of EC Decision 200/520/EC) which provides for a derogation from this default in circumstances where in the absence of a general data protection law in the United States, adhering companies voluntarily sign up and commit to the Safe Harbour Privacy Principles and FAQs.  These principles are then binding on those companies under US Law and enforceable by the US Federal Trade Commission. The CJEU’s decision in this case has significant implications for entities that transfer personal data to the United States or have signed up to Safe Harbour

The CJEU Judgment

The CJEU found that the Safe Harbour system enabling data transfers from the EEA to the United States, utilised by thousands of companies including the likes of Google, Facebook, Twitter and other household names, is invalid. In reaching this conclusion, the CJEU held that the previous Commission Decision[i] approving the Safe Harbour system was invalid as it failed to sufficiently examine the data protection standards in the US to ensure that the level of protection of fundamental rights is equivalent to those guaranteed in the EU.  The CJEU also ruled that the existence of the Decision does not prevent national supervisory authorities from examining whether the transfer of personal data to a third country complies with the requirements of EU data protection law.

Consequences of the CJEU Judgment

In relation to the originating Irish High Court case, the Judgment means that the Irish Data Protection Commission is obliged to investigate the complaint made by Mr. Schrems and decide whether the transfer of personal data from Facebook Ireland to the US is in breach of the relevant EU Data Protection law. Regardless of the outcome of the originating Irish High Court case, the CJEU Judgment stands independently and is effective immediately.

Guidance
The Article 29 Working Party (the “Group”) is tasked with providing expert advice to the European Commission on data protection matters, promoting the uniform application of the Data Protection Directive on a national level and advising the European Commission on any European Community law that affects the right to protection of personal data.

In a statement issued on Friday 16 October 2015, the Group stated that if no replacement for Safe Harbour is agreed with the US authorities by the end of January 2016, the EU data protection authorities would take all necessary actions which may include coordinated enforcement actions. It advised that EU data protection authorities will put in place, at national level, information campaigns to keep companies who previously relied on Safe Harbour up to date. The Group confirmed that alternative tools authorising data flows can still be used by companies for lawful data transfers to third countries like the United States.

In addition, the EC has released a communication to the European Parliament and the Council on the Transfer of Personal Data from the EU to the USA under Directive 95/46/EC following the Judgment by the CJEU (COM (2015) 566 final, 6th November 2015)

The Communication reiterates that a renewed and sound framework for transfers of personal data to the United State remains a key priority. The EC has been in negotiations with the US government since 2013 on a new arrangement for transatlantic data transfers, which discussions have now intensified in light of the CJEU Judgment.

Conclusion

The full impact of the Judgement and the risk of potential recourse after the end of January 2016 is yet to be seen. This leaves a great deal of uncertainly for companies who utilise the transfer of personal data to the US.   All businesses should review their contracts, data protection policies and terms and conditions in light of the above ruling and take individual advice in relation to the implications of this important judgment.

If any of the above is relevant to your business and you would like to discuss further, please contact Edward Johnston, Sam Saarsteiner or Karen O’Brien.

[i] Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7).