The long awaited ECJ’s judgment in Maximillian Schrems v Data Protection Commissioner (Case C‑362/14) declared the EU-US Safe Harbor framework (set out in Decision 2000/520 on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce invalid for failing to ensure adequate protection for data transferred from the EU to the US as required by the Data Protection Directive (95/46/EC).
The Court also held national data protection authorities may (must) examine claims from data subjects that a transfer of their personal data to a non-EEA country violates their right to privacy even if the receiving country has been found by the Commission to ensure an adequate level of protection for personal data.
David v Goliath: Austrian law student challenges Safe Harbor framework
The case was brought by Austrian law student Max Schrems, a longtime user of Facebook, who had asked the Irish Data Protection Commissioner (DPC) to exercise its powers to prevent Facebook Ireland from transferring his personal data to its US parent company, Facebook Inc. He claimed that US law and practice did not ensure adequate protection of personal data held in its territory against the mass surveillance of data carried out by public authorities (for example, under the NSA’s PRISM programme).
The DPC decided that he was bound by the European Commission’s findings in Decision 2000/520 that Safe Harbor ensured adequate protection and rejected Mr Schrems’ claims as unfounded. Mr Schrems brought an action before the High Court challenging the decision.
The High Court found that although the electronic surveillance and interception of personal data transferred from the EU to the US serve necessary and indispensable objectives in the public interest, Edward Snowden’s revelations in 2013 about US National Security Agency (NSA) surveillance of data held by Safe Harbor participants, showed a “significant over-reach” by US public authorities. Also, the High Court found that EU citizens have no effective right to be heard as part of US oversight proceedings.
National data protection authorities can (must?) investigate complaints
As regards the role of the national data protection authorities, the ECJ declared:
- The conditions imposed through Article 3 of Decision 2000/520 to restrict the powers of national DPAs invalid. National DPAs must be allowed (and may indeed be required) to examine complaints about the lawfulness of data exports brought by data subjects.
- Itself to be the ultimate arbiter on the validity of EU acts and their compatibility with the EU fundamental rights framework; neither national DPAs nor national courts have the power to declare an EU act invalid.
- Member states must provide procedures for data subjects and national DPAs to bring questions of validity to the attention of the national courts so they can then refer them to the ECJ for determination.
Safe Harbor decision declared invalid
The ECJ declared Decision 2000/520 invalid. In order to make a finding of adequacy under Article 25(6) of the Directive, the Commission must establish whether the third country ensures an adequate level of protection by reason of its domestic law or its international commitments. Adequate protection must be ensured by the third country’s legal order.
However, Decision 2000/520 does not meet this criterion as it does not examine the US legal framework in sufficient detail. It also does not apply to US public authorities. Instead, the Decision makes it clear that in case of a conflict between compliance with the Safe Harbor principles and US laws that require the disclosure personal data transferred to the US under the framework, US law takes precedence. The ECJ held that US law does not provide sufficient safeguards that protect EU citizens’ fundamental rights of privacy and data protection and does not grant EU citizens rights of judicial redress. Personal data transferred to the US under the Safe Harbor framework would therefore be at risk of being accessed and used by US public authorities, and US laws and international commitments in a way that would not be compatible with the EU fundamental rights framework.
What now for EU-US data flows?
Even ignoring the commercial and political impact the ECJ’s decision will have on data flows between the EU and the US and, consequently, on the relationship between the two countries, the judgment is interesting for a number of reasons.
For a start, it is clear that the ECJ now fully accepts its own role as the guardian of the EU fundamental rights framework as set out in the Charter and the Treaties. Its declaration that it alone is competent to decide whether EU acts, both legislative and executive, comply with Charter rights makes it a true EU “constitutional court”. This stance will be popular with countries concerned about the standard of judicial redress at EU level for fundamental rights protection and less popular with countries like the UK that traditionally view powers of courts to invalidate legislation with suspicion.
Procedurally, the judgment may cause an administrative headache for member states where opportunities for judicial review of legislative acts are strictly limited. For example, the ECJ’s requirement that national supervisory authorities must have the right (and may indeed have the duty) to apply to the national courts for judicial review of an EU act is not reflected in the UK Data Protection Act 1998. It will take time for national legislation to catch up with changes needed to comply with the ECJ’s dictum.
On a practical level, the judgment leaves both EU data controllers and US recipients of data flows that have relied on the Safe Harbor to legitimise their data transfers in an immediately precarious situation. Although there is generally no impediment that would keep the Commission from reissuing Decision 2000/520, provided that the requirement to review whether the US legislation complies with the requirements set out in Article 25 (2) and (6) are met, this process is likely to take time and may only be completed with full cooperation by the US authorities. Even then, it may be difficult to establish that the US does in fact provide an adequate level of protection.
Without Decision 2000/520, businesses will, for now have to rely on other derogations and exemptions from the general prohibitions on data transfers to third countries that do not provide adequate protection.
In the short term, it is likely that both the use of standard contractual clauses and Binding Corporate Rules (BCRs) will increase. However, both of those methods are now equally vulnerable to regulatory or judicial review and a potential declaration of invalidity at least to the extent that they are used to authorise transfers of personal data to the US. There is at least the possibility that the ECJ, following a similar challenge, would come to a similar conclusion.
EU data controllers could also consider relying on one of the other derogations set out in Article 26(1) of the Directive which (among other things) justify transfers made with the data subject’s consent or are necessary, say, for the performance of a contract or on important public interest grounds. However, national DPAs have long cautioned against relying exclusively on data subjects’ consent given that these can be withdrawn at any time. Even where the data controller makes the provision of its services conditional on receiving such consents, there is now at least a question mark over whether a contractual requirement for the data subject to consent to a transfer of his data to a potentially unsafe jurisdiction can be considered fair under the circumstances. Some national courts (like Germany) have already started to review privacy policies under their national consumer protection regimes and it is likely they will not approve such contractual consents.
In the medium term it may be incumbent upon the European Commission to take political steps to persuade the US to review its legal framework to provide both substantive protections for EU citizens’ personal data and rights to judicial redress. Previous endeavours in this regard have mostly been unsuccessful. However, perhaps there will be a change in attitude, when the US is faced with the potential inability of US companies to provide services involving the transfer of personal data to the US from the lucrative EU market.
For EU data controllers, there is now a period of legal uncertainty that may only be resolved through the adoption of the new Data Protection Regulation. However, the timetable for its adoption could well be derailed as a result of this decision.
For a detailed summary and analysis of the ECJ’s decision, see Legal update, ECJ rules that the EU-US safe harbor arrangement is invalid, which has been published by Practical Law Data Protection.
