In a judgment rendered this morning (C-362/14 – Maximilian Schrems vs. Data Protection Commissioner), the Court of Justice declared the Safe Harbour Framework, which enables data transfers between the EEA and the United States, invalid. The decision comes less than two weeks after Advocate General Bot came to the same conclusion in his opinion of 23 September 2015.
Why a Safe Harbour Framework?
Personal data can only be transferred to a country outside the EEA if that non-EEA country guarantees an "adequate level of protection" and thus ensures protection of personal data in accordance with the protection standards offered within the EEA.
Controllers have a number of possibilities available for transferring personal data to third countries. They can:
- conclude a model contract with the recipient of the data in the third country;
- implement binding corporate rules; or
- in specific cases, rely on one of the exceptions (such as the consent of the data subject) provided for in article 22 of the Act of 8 December 1992 on the protection of privacy with regard to the processing of personal data.
Specifically for the United States, in addition to the above options, there was also the possibility to base the transfer of personal data on the Safe Harbour certification of the recipient of the data in the United States.
What is the Safe Harbour Framework?
The Safe Harbour Framework was adopted after years of negotiations between the EU and the US and consists of a number of Safe Harbour principles to which US companies can adhere through mechanisms of self-certification and self-assessment. From then on, they are deemed to offer the expected adequate protection and they can receive personal data from the EEA without additional measures. The principles were established by Commission Decision 2000/520/EC of 26 July 2000.
Why was the Safe Harbour Framework under pressure?
Since the revelations made by Edward Snowden, it has become obvious how personal data held by US companies can be subject to the "mass surveillance programmes" of the United States, even if the recipient in the United States is Safe Harbour certified.
The revelations have led to growing criticism of the Safe Harbour Framework and have raised the question of whether the Safe Harbour Framework should not be suspended temporarily. In a resolution adopted in March 2014, the European Parliament responded in the affirmative and called for a suspension of the Safe Harbour Framework.
In a separate initiative, Max Schrems, an Austrian PhD student, filed a complaint with the Irish Data Protection Commissioner concerning the fact that Facebook Ireland transmits his data to Facebook US (which is Safe Harbour certified), hence making it possible for US authorities to access his data. He therefore requested suspension of the data transfers. The Irish Data Protection Commission refused, because it believed it was bound by Commission Decision 2000/520/EC, which had ruled that the Safe Harbour Framework provides an adequate level of protection.
What did the Court of Justice examine and what has it decided?
The Court of Justice had to examine whether, in the light of Articles 7 and 8 of the Charter of Fundamental Rights, Decision 2000/520/EC on the Safe Harbour Framework prevents national data protection authorities from examining whether the Safe Harbour Framework actually offers an adequate level of protection and suspending a data transfer if the protection level is found to be inadequate.
The Court of Justice first ruled that national data protection authorities are able to investigate whether an adequate level of protection exists. They are, in the Court's view, independent authorities that must be able to verify whether the data transfer actually is in line with the requirements set out in Data Protection Directive 95/46/EC.
The Court went even further and also ruled that the Safe Harbour Framework is not valid because, under EU law, legislation is not limited to what is strictly necessary where it authorises storage of all the personal data of all the persons whose data is transferred from the EU to the United States, on a generalised basis, without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of access of the public authorities to the data and of its subsequent use.
What do you, as an enterprise, have to do?
From now on, you can no longer base your data transfers to the United States on the Safe Harbour certification of your US contractor.
The fastest way to move forward is to conclude an EU model contract with the American recipient of personal data (EU model contracts can be found here and here for a controller to controller data transfer and here for a controller to processor data transfer). However, keep in mind that you have to file a copy of that contract with the Privacy Commission. International corporate groups can also consider the more time-consuming procedure of adopting binding corporate rules. Finally, also remember to amend your (internal and external) policies if necessary.