On October 6, 2015, the European Court of Justice (ECJ) issued a ruling in Schrems v. Data Protection Commissioner that invalidated the European Commission’s decision that the data privacy principles of the U.S.-EU “safe harbor” – pursuant to which U.S. companies transfer personal information about EU citizens to the U.S. after agreeing to abide by these principles – provide an adequate level of protection for the data of EU citizens. As a result of this ECJ decision, the privacy supervisory authority in each EU member state has the power to question whether transfers of personal data to the U.S. comply with EU data protection law and to suspend such transfers if EU privacy obligations are not met. The impact is potentially enormous for the thousands of U.S. multinational companies that currently operate under the safe harbor (as well as for the thousands of European businesses that have their data hosted in the U.S. by these U.S. companies). The European Commission has indicated that it is committed to finding a “safer” safe harbor so that the transfer of transatlantic data can continue. Regardless, companies that rely on the U.S.-EU safe harbor agreement must review their current practices and consider alternatives.
Background
European data privacy law prohibits the transfer of personal data to a country outside the European Economic Area unless that country ensures an adequate level of protection for individuals’ personal data. In order to enable U.S. organizations to comply with this European law, the U.S. Department of Commerce worked with the European Commission to develop the safe harbor framework, which allowed U.S. organizations that self-certified compliance with the safe harbor principles (which are similar to the EU’s data protection principles) to transfer data concerning EU citizens to the U.S. The ECJ has now ruled that the safe harbor scheme is invalid and that any EU member state’s national supervisory authorities may question whether a transfer of personal data to the U.S. complies with the EU’s data privacy laws, despite reliance on the scheme.
Procedural History
Schrems originated as a lawsuit brought by Austrian privacy activist Maximillian Schrems in Ireland. In light of the 2013 Edward Snowden disclosures concerning the NSA and U.S. electronic surveillance, Schrems filed a complaint with the Irish data protection commissioner, arguing that his personal data, some of which is transferred from Facebook’s Irish subsidiary to Facebook’s U.S. servers, was not adequately protected under the existing safe harbor regime.[1] The data protection commissioner rejected the complaint, in part because of reliance on the safe harbor scheme, which the European Commission had decided provided adequate protection to EU citizens. Upon judicial review, the High Court of Ireland asked the ECJ to clarify whether the safe harbor agreement prevented a national data protection authority (DPA) from investigating a complaint alleging that a third country (i.e., the U.S.) does not ensure an adequate level of protection, thereby allowing the suspension of data transfers.
In his September 23, 2015, opinion, Advocate General Yves Bot found that the safe harbor agreement did not ensure adequate protection of EU users’ personal data when transferred to the U.S. Further, the advocate general argued that data protection authorities of member states had the obligation to protect the personal data of all EU citizens. Notwithstanding the safe harbor agreement, Bot wrote that the data protection authorities of an individual member state should be able to suspend the transfer of data of EU users to servers located in the U.S., which would effectively undermine the safe harbor agreement. Advocate General Bot’s opinion intimated that the ECJ could and should require the European Commission to invalidate the safe harbor agreement.[2]
The ECJ Decision Summary
On October 6, 2015, the ECJ issued a nonappealable opinion that essentially invalidates reliance upon the U.S.-EU safe harbor. Adopting the reasoning of the advocate general’s opinion, the ECJ found that safe harbor did not provide an adequate level of data protection given U.S. intelligence activities. The ECJ held that the European Commission’s 2000 decision finding that the U.S. safe harbor provides an adequate level of protection is invalid and does not trump the powers available to EU national data supervisory authorities to question the lawfulness of transfers under the U.S. safe harbor regime.[3]
The Schrems case will resume in Ireland, with the specific merits of that case to be determined. As a result of the ruling, we are likely to see other data privacy complaints filed against DPAs in other member states, with unpredictable and likely varying results. Thus, the privacy requirements in the EU have the potential to become disparate and unwieldy, and U.S. companies may find it necessary to adjust their data privacy policies on a country-by-country basis.
Takeaways
We expect that EU national data supervisory authorities will be inundated with complaints from individuals and consumer groups. There are a number of existing alternatives to the safe harbor:
- Restructuring data storage architecture to ensure that European data remains in Europe. Such a restructuring may add significant cost, as well as impact corporate structure.
- Adopting binding corporate rules (BCRs), which are internal rules adopted by multinational groups of companies and approved by the EU.[4] BCRs can be costly and time-consuming to develop and implement but would provide a U.S. company with essentially the same capacity to transfer data as it enjoyed under the safe harbor agreement.
- Adopting the pro forma model contractual clauses approved by the European Commission.
- Obtaining individual consent. For example, the addition of an extra consent form for European users to click that explicitly allows a company to transfer their data to U.S. servers.
In the wake of the decision, the European Commission has said it would work with national supervisory authorities to issue further guidelines – including a safer safe harbor. European Commission and U.S. officials had already entered into negotiations in 2013 for creating a new safe harbor agreement. The ECJ ruling may also place more pressure on Congress to pass legislation currently under consideration that would allow EU citizens to bring privacy lawsuits in U.S. courts.
[1] European Court of Justice Press Release No 106/15, Advocate General’s Opinion in Case C-362/14 Maximillian Schrems v. Data Protection Commissioner (Sept. 23, 2015).
[2] See id.
[3] European Court of Justice Press Release No 117/15, Judgment in Case C-362/14 Maximillian Schrems v. Data Protection Commissioner (Oct. 6, 2015).
[4] European Commission’s Directorate General for Justice and Consumers, Overview on Binding Corporate Rules (Sept 2, 2015), available at http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/index_en.htm.
Published October 13, 2015.