Distinguishing unwise decision-making from lacking capacity
Dec 12 2023
Bevan Brittan Education Lunchtime Training Webinars 2023Read More
The ECJ has found that the European Commission decision giving rise to the regime which allows the lawful transfer of personal data from EU countries to US companies with 'Safe Harbor' status is invalid.
This landmark judgment will have a significant impact on data controllers transferring personal data to Safe Harbor companies, who must now review those arrangements and consider the alternatives. Emma Godding explains the judgment and the potential practical implications.
The question of Safe Harbor's validity arose from proceedings between Mr Schrems (an Austrian national) and the Data Protection Commissioner for Austria, regarding the Commissioner's refusal to investigate a complaint that Facebook Ireland Ltd, transfers the personal data of its users to the US. Mr Schrems' complaint concerned the fact that the US does not ensure 'adequate protection' for personal data, because its public authorities are engaged in intrusive surveillance activities. In his complaint, Mr Schrems referred to the revelations made by Edward Snowden concerning the activities of the US intelligence services.
The European Directive governing data protection (Directive 95/46/EC) provides that member states may only transfer personal data to a country outside of the EEA if the country to which it is being transferred ensures "an adequate level of protection" for that personal data. The Directive allows the European Commission to determine that a country outside of the EEA provides adequate levels of protection; in such cases personal data may be transferred from member states without any additional guarantees being required (i.e. without the need to obtain the consent of affected individuals, or entering into specific contracts).
The US is deemed to have lesser protection for personal data than the member states. Consequently, in 2000, the Commission decided that US organisations importing and processing personal data in accordance with a specified set of safeguards referred to as the 'Safe Harbor principles', is deemed to have 'adequate protection.' Accordingly, the Commissioner in the Schrems case took the view that he was not required to investigate the matters raised by Mr Schrems, as it was already recognised that the personal data being transferred would be adequately protected in accordance with the Safe Harbor regime.
Mr Schrems brought an action before the High Court challenging the Commissioner's decision. The High Court recognised that Mr Schrems was raising the legality of the Safe Harbour regime (as approved by the European Commission), and referred the question of the validity of Safe Harbor to the ECJ.
The ECJ examined whether the Safe Harbor decision complies with the requirements of Directive 95/46 when read in light of the Charter of Fundamental Rights of the European Union.
The ECJ makes the point that the Safe Harbor principles were issued by the US Department of Commerce, and that those principles in themselves ensure adequate protection for personal data transferred from the EU to organisations established in the US. However, US companies were able to self-certify whether they had adhered to the Safe Harbor principles. The ECJ considered that whilst a system of self-certification does not necessarily mean that the data was not adequately protected, the Safe Harbor regime is founded on reactive mechanisms which enable infringements of the rules to be identified and punished accordingly. Additionally, the principles only apply to self-certified US organisations receiving personal data from the EU, and not to US public authorities who can access European personal data held by Safe Harbor companies.
The ECJ went on to consider the US legislation relating to personal data. The Commission had previously found that US authorities were able to access the personal data transferred from the Member States to the US and process that data in a way incompatible with the purposes for which it was transferred. The US authorities' rights to process that data went beyond what was strictly necessary and proportionate to the protection of national security. Furthermore, data subjects had no administrative or judicial means of redress; they were not able to access data relating to them or ensure that the data could be rectified or erased where necessary. The ECJ also found that the arrangement could compromise the fundamental right to respect for private life: if legislation does not provide any opportunity for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, it cannot be said respect the right to effective judicial protection.
The ECJ concluded that, "without there being any need to examine the content of the Safe Harbor principles, it is to be concluded that Article 1 of the Decision fails to comply with the requirements laid down in Article 25(6) of the Directive, read in the light of the Charter, and that it is accordingly invalid."
The ICO has published its initial reaction to the decision. Deputy Information Commissioner, David Smith, said,
“The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this……We will now be considering the judgment in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them. Businesses should check the ICO website for details over the coming weeks."
In practice, the judgment means the end of Safe Harbor in its existing format. In its reaction to the judgment, the Deputy Information Commissioner stated that, “Concerns about the Safe Harbor are not new. That is why negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement. We understand that these negotiations are well advanced." It seems likely that efforts to amend the arrangements to bring them in line with EU legislation will be doubled.
Data controllers should remember that the judgment only affects transfers of personal data under the Safe Harbor regime. The ICO in its press statement reminds data controllers that there are other methods of ensuring that outside of EEA transfers are lawful, “It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure that they are complying with the law related to international transfers."
Data controllers should reconsider their data transfer arrangements in light of the judgment, and in particular appropriate alternative options. Controllers may wish to consider using 'Model Contract Clauses' which involves incorporating off the shelf EU approved provisions into contracts with overseas data controllers and processors. Alternatively, organisations transferring data overseas could consider the use of binding corporate rules.
No doubt the immediate concern for UK data controllers currently engaged in activities involving the transfer of personal data to Safe Harbor accredited US companies will be about whether the ICO will take enforcement action against Safe Harbor transfers. This would have serious ramifications for UK-US business commercial transactions. It appears from the ICO's press release that it recognises that it will take time for UK organisations involved in the transfer of personal data overseas to review their arrangements.
It has yet to be seen how UK data controllers involved in Safe Harbor transfers will react to the judgment, but as the ICO states, they are left in a position where they have little choice but to review their practices and consider alternatives.
Bevan Brittan's Information Law team specialise in all aspects of data protection and has extensive experience of advising on overseas transfers of personal data in commercial transactions. The team can provide swift and pragmatic advice to assist organisations affected by the Schrems decision to find a suitable alternatives to their existing safe harbour arrangements.
For the ECJ's judgment please click here.
For the ICO's response to the ruling please click here.