The European Court of Justice renders the Safe Harbor Agreement invalid
What is Safe Harbor Agreement?
The EU Data Protection Directive provides that EU companies can transfer personal data to non-EEA countries only if the latter provide to it an ‘adequate level of protection’. In the year 2000 EU-US Safe Harbor Agreement provided a self-certification mechanism for companies that wished to transfer data across the Atlantic. The companies relying on the Agreement ensured that the data transferred to the US data centers is well-protected.
The safety of the Safe Harbor regime was confirmed in the Commission Decision 2000/520 from July 26th as providing an adequate level of protection to the data transferred to the US.
The case and the judgment
In light of the Edward Snowden mass surveillance revelations in 2013, an Austrian privacy activist Maximilian Schrems, the initiator of the class action Europe v. Facebook filed a suit in the Irish courts against Facebook alleging its collaboration with the NSA’s Prism Program. The data transferred from the EU to the US under the Safe Harbor was claimed to not be adequately protected by the law and practice of the US from the surveillance of public authorities. The case was referred to the ECJ because it fell under the Safe Harbour Agreement.
The ECJ Judgment in case C-362/14 Schrems v. Data Protection Commissioner, October 6th 2015 following the Opinion of the Advocate General Yves Bot from September 23rd 2015 declared the Commission Decision 2000/520 and the Safe Harbor Agreement invalid.
The Commission Decision 2000/520 shortlisted the powers available to national data protection authorities (hereinafter - DPA) in light of that Decision, which prevented them from independently examining US data protection compliance in individual cases.
However, the ECJ noted that the Commission made the assessment of adequacy of protection not on the basis of US national law or international commitments, but on the merit of the stipulated Safe Harbor principles as applied by the companies involved. Moreover, the ECJ observed that Safe Harbor cannot supersede scrutiny by national DPA, which have authority to do so under the Data Protection Directive and the EU Charter of Fundamental Rights. In preventing them from conducting independent assessments the Commission exceeded its competence.
While assessing the validity of the Safe Harbor Agreement, the ECJ observed that the US allows storage of all personal data without differentiation, limitation or exception regarding the purposes and objectives of its retainment. The law does not stipulate any definitive criteria for access to data by public authorities, which makes the grounds for interference vague and virtually unrestricted. Moreover, US national security, public interest and law enforcement regulations prevail over the Agreement.
The ECJ also stated that the Agreement violates the fundamental rights of EU citizens to effective judicial protection by not allowing them to bring action before US courts if they have reason to believe their privacy is infringed by US companies or the government.
The effects of the judgment
Over 4.500 companies that outsourced data to the US (including big data businesses, cloud providers, global multinational companies, large internet and tech companies) relied on the Safe Harbor Agreement. After the judgment the data flow still continues, but it means that those companies are not in compliance with EU data protection laws anymore.
In contrast to the Safe Harbor ‘blanket allowance’, now national DPA-s are authorised to review each data transfer individually. The former Safe Harbor companies may potentially need to deal with 28 different sets of data privacy regulations in the Member States, which, in principle, could forbid outbound data transfer about their citizens altogether.
For affected companies this implies that they should either turn to alternative ways of data transfer, adopt strong encryption for processing data from EU users, or restructure data processing by establishing EU centers for processing of regional data.
Alternative ways of transatlantic data transfer
The Data Protection Regulation provides alternative options to former Safe Harbour companies. These include standard data protection clauses in contracts between an EU company transferring data and a US company receiving it, binding corporate rules for transfers within a corporate group, upon obtaining consent of a data subject, as well as on the basis of performance of contract, in the public interest or in the interest of the data subject (in emergency situations). Regardless, the best option is still to carry out independent assessment of the quality of protection of personal data both inside and outside of Europe.
The Safe Harbour rules have been under review by the Commission since 2013 and it is expected that the present judgment will accelerate the process and an updated agreement will be negotiated. However, in light of the reasoning of the ECJ regarding the invalidity of the Commission Decision, in the case of an updated agreement the national DPA will still have a say in the matter in individual cases.