On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor framework as a legal basis for transferring personal data from the European Union to the U.S.1 The judgment was delivered in Schrems v. Data Protection Commissioner, a case in which Max Schrems, an Austrian student, complained to the Data Protection Authority (DPA) in Ireland about the transfer of his personal data by Facebook to its servers in the U.S.
The Schrems judgment is of major importance to the over 4,000 companies that relied on Safe Harbor to transfer personal data from the EU to the U.S. This article details the background of the case, analyzes its holdings and consequences, and summarizes the main developments that have occurred since the judgment was issued.
EU personal data can be transferred outside of the EU only if the laws of the recipient country are deemed to provide an adequate level of data protection under EU law, or if there is a legal mechanism in place to ensure such an adequate level of protection. The European Commission—the EU’s executive arm—can adopt “adequacy decisions” to officially approve a country’s adequate level of data protection.
The U.S. is not considered to provide an adequate level of data protection under EU law. However, the EU and the U.S. had agreed on a Safe Harbor framework to allow U.S. companies to transfer EU personal data to the U.S. In 2000, the European Commission formally recognized the Safe Harbor framework as a valid mechanism for transferring personal data from the EU to the U.S by adopting an adequacy decision (Safe Harbor decision).2 By self-certifying to the Safe Harbor framework, companies voluntarily committed to abide by a set of data protection principles. The Safe Harbor framework was enforced by the Federal Trade Commission (FTC) under Section 5 of the FTC Act.
In the wake of revelations concerning mass surveillance by U.S. authorities in 2013, Max Schrems filed a complaint with the DPA in Ireland, where Facebook’s EU headquarters is located. Schrems requested that the DPA investigate Facebook’s alleged disclosure of EU personal data to U.S. authorities for mass surveillance purposes. The Irish DPA rejected the complaint, arguing that it was bound by the Safe Harbor decision. Schrems appealed to the Irish High Court, which requested that the CJEU clarify whether national DPAs are bound by such adequacy finding by the European Commission.
Below are the key findings of the Schrems judgment.
- Safe Harbor Is Invalid. The CJEU went beyond the initial question brought by the Irish High Court and declared the Safe Harbor decision invalid. According to the CJEU, the Safe Harbor decision violated EU fundamental rights due to broad exceptions for data disclosures for national security purposes, the lack of judicial redress for EU individuals in the U.S., and the lack of oversight powers by independent authorities.
- Any Further Transfer of Personal Data on the Basis of Safe Harbor Is Unlawful. As a result of the invalidation of the Safe Harbor decision, any new data transfer by companies that were relying on the Safe Harbor framework now lacks a legal basis and may expose these companies to liability until they implement an alternative data transfer mechanism.
- DPAs Can Investigate Data Transfers Based on Adequacy Decisions. Even if data transfers are occurring on the basis of a European Commission’s adequacy decision, each national DPA can independently investigate the transfers (e.g., following a complaint) and decide to suspend them if it considers they violate EU data protection law. This entails a high risk of inconsistent decisions of the different national DPAs concerning international data transfers, and may lead to the fragmentation of the EU internal market, which creates significant uncertainty for businesses.
- Alternative Data Transfer Solutions Are Valid for Now. The judgment did not consider the validity of other data transfer mechanisms, such as Standard Contractual Clauses (SCC), Binding Corporate Rules (BCRs), ad-hoc contracts, and derogations such as consent or the performance of a contract. Therefore, for the time being, these mechanisms can still serve as an alternative to the Safe Harbor framework. However, some regulators consider that these alternative data transfer mechanisms should also be investigated (see below).
The Schrems judgment created a high level of legal uncertainty in the EU, which was increased by various statements from stakeholders in and outside the EU that followed on the judgment. Summarized below are some of the main developments since the release of the judgment.
The European Commission’s Statements
On the day of the release of the judgement, the European Commission stated during a press conference that other data transfer mechanisms are available to businesses, and underlined that both the EU and the U.S. are actively engaged in negotiations for a new Safe Harbor framework.3 A month after the judgment, the European Commission released a non-binding guidance communication on the transfer of personal data from the EU to the U.S. following the Schrems judgment. This is a political document which, although being informative, is of little help for businesses.4
The Article 29 Working Party’s Reaction and Statements from Local DPAs
On October 16, 2015, the Article 29 Working Party (the Working Party)—the body where national DPAs meet at the EU level—issued its first statement on the implementation of the judgement.5 Statements and guidance from the Working Party are usually a good indication of how DPAs will interpret the law but are not legally binding.
In a nutshell, the Working Party confirmed that: (i) transfers of personal data formerly based on the Safe Harbor framework are now unlawful; and (ii) SCC and BCRs are still valid alternative data transfer solutions. However, the Working Party declared that it will assess the validity of these alternative data transfer mechanisms in light of the Schrems judgment and reserve the right to suggest changes to these instruments. In addition, the Working Party urged the European Commission to make progress on enabling data transfers to the U.S. by the end of January 2016, including by negotiating a new agreement with the U.S. This deadline is more an ultimatum given to the EU institutions and U.S. government to find a political solution than a grace period given to companies. DPAs threaten to start coordinated enforcement actions if no solution is found with the U.S. before this date. In the meantime, individual DPAs may already investigate particular cases and exercise their powers, including the suspension of data transfers, in particular in case of complaints from individuals.
In parallel, many DPAs have expressed their own views, which are often not entirely aligned with the Working Party’s statement. For example, the German DPAs jointly stated that they would not approve any new BCRs and “data export contracts.”6 Within Germany, each DPA acts independently, and some of them have expressed even more conservative approaches (e.g., the Schleswig Holstein DPA). On the other end of the spectrum, the UK DPA,7 traditionally quite pragmatic, recommended that companies not rush into alternative solutions. Statements from the Spanish,8 French,9 Belgian,10 Polish,11 and Italian12 DPAs can be situated somewhere in between these two ends of the spectrum. Some DPAs, such as the Spanish and Norwegian DPAs, started sending letters to companies that indicated in their registrations Safe Harbor as the legal basis for data transfers to the U.S. Businesses are now facing a high risk of fragmentation of the EU market if DPAs do not fully coordinate their actions. Hopefully, the Working Party will soon issue its own guidance document on the consequences of Schrems.
Consequences of the Judgment Outside the EU
The invalidation of the Safe Harbor decision also had an effect outside of the EU. A number of non-EU countries have adopted data protection legislation that is inspired by EU data protection law over the years. Many of these countries consider that countries or mechanisms that are recognized to be adequate under EU data protection law are also adequate under their own national data protection law. Therefore, the invalidation of the Safe Harbor decision also triggered some reactions outside of the EU. In particular, the Swiss13 and Israeli14 DPAs considered that data transfers based on the Safe Harbor framework are no longer lawful. In a milder approach, the Dubai International Financial Centre’s DPA stated that it is reconsidering the adequacy status granted to Safe Harbor-certified companies.15
A New Framework for Data Transfers Between the EU and the U.S.?
The European Commission officially aims to conclude the negotiations on a new agreement before the end of January 2016. Both the U.S. and the EU have made statements that the negotiations are progressing quickly, and that they are hopeful that an agreement will be reached shortly.16 However, it is uncertain whether the U.S. and the EU can agree on a new framework that will actually meet the very high bar set by the Schrems judgment. In particular, there are concerns in the EU regarding the restrictions that should apply to requests for data access by U.S. law enforcement and national security agencies and the possibility for individuals to seek redress in the EU.
Conclusions: Companies Should Monitor the Situation and Consider Implementing an Alternative Data Transfer Strategy
Companies transferring personal data outside the EU now face a very high level of uncertainty regarding the legal framework applicable to their data transfers, and there is a significant risk of fragmentation of the EU internal market. It seems likely that DPAs will take enforcement actions across the EU against companies that have not implemented an alternative data transfer mechanism by the end of January, or before then in case they receive complaints from individuals. In parallel, negotiations between the U.S. and the EU to agree on a new framework are progressing, but it remains uncertain whether a workable agreement will be reached in the short term.
Therefore, companies that were relying on the Safe Harbor framework should adopt a new data transfer strategy. There is no one-size-fits-all alternative approach to Safe Harbor. Which data transfer mechanism to implement depends on a company’s size, corporate structure, industry sector, data flows, and whether it operates in the B2C or B2B context.
The situation is in flux and evolving at a fast pace since all stakeholders involved, in and outside the EU, are still figuring out the consequences of the Schrems judgment. New developments on this issue are expected in the coming weeks and months. We are closely monitoring this issue and will continue to update you on significant developments.
1 The judgment in case C-362/14 at http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=402443.
2 The European Commission Decision of July 26, 2000 (2000/520/EC) at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML.
3 The European Commission’s press release at http://europa.eu/rapid/press-release_STATEMENT-15-5782_en.htm.
6 The position paper (in German) at https://www.datenschutz.hessen.de/ft-europa.htm#entry4521.
7 The UK DPA’s blog post at https://iconewsblog.wordpress.com/2015/10/27/the-us-safe-harbor-breached-but-perhaps-not-destroyed/.
8 The Spanish DPA’s statement (in Spanish) at http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa
9 The French DPA’s statement (in French) at http://www.cnil.fr/linstitution/actualite/article/article/invalidation-du-safe-harbor-par-la-cour-de-justice-de-lunion-europeenne-une-decision-cl/.
10 The Belgian DPA’s statement (in French) at https://www.privacycommission.be/fr/news/la-commission-vie-privee-se-prononce-sur-larret-de-la-cour-de-justice-de-lunion-europeenne.
12The Italian DPA’s statement (in Italian) at http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/4308245.
13 The Swiss DPA’s statement (in French) at http://www.edoeb.admin.ch/datenschutz/00626/00753/00970/01320/index.html?lang=fr.
16The European Commission’s press release at http://europa.eu/rapid/press-release_IP-15-6015_en.htm.