In this piece that originally appeared in the Internet Newsletter for Lawyers, Eduardo Ustaran, partner at Hogan Lovells, considers the implications of the CJEU’s recent decision in the Schrems case and sets out an action plan for companies previously reliant on Safe Harbor for EU to US transfers
On 6 October 2015, the Court of Justice of the European Union (CJEU) declared the EU–US Safe Harbor framework invalid as a mechanism to legitimise transfers of personal data from the EU to the US. This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful and could have serious implications for transfers of personal data both within multinationals and to global service providers.
Safe Harbor was jointly devised by the European Commission and the US Department of Commerce as a framework that would allow US-based organisations to overcome the restrictions on transfers of personal data from the EU. However, since its adoption, Safe Harbor was fraught with challenges. Although the data protection requirements set out in the Safe Harbor Privacy Principles were meant to match the standards of protection of European law, its self-certification nature and the non-European style of its provisions have attracted much criticism over the years. In particular, the revelations triggered by Edward Snowden in 2013 about the US intelligence surveillance operations led the European Parliament to adopt a resolution seeking its immediate suspension. The European Commission had no choice but to reopen the dialogue with the US government to find a way of strengthening the framework and restoring its credibility.
The Schrems case
One particular individual, Austrian law student Max Schrems, decided not to wait for the outcome of the re-negotiation of Safe Harbor. He lodged a complaint with the Irish Data Protection Commissioner requesting the termination of any transfers of personal data by Facebook Ireland to the USA. However, the Irish Commissioner rejected the complaint on the basis that the adequacy of Safe Harbor had already been determined by the European Commission and therefore, it was not open to the Irish Commissioner to challenge the European Commission’s “adequacy finding”. This was not accepted by Schrems who sought judicial review of the Commissioner’s decision by the High Court of Ireland, which then referred the case to the CJEU.
In its ruling, the CJEU confirms that a national data protection authority is always empowered to challenge the adequacy of data transfers. More importantly, the ruling goes beyond this specific question by declaring that Safe Harbor does not in fact provide an adequate level of data protection, because it is unable to prevent large-scale access by the US intelligence authorities to data transferred from Europe.
The practical effect of Schrems
The decision invalidating Safe Harbor has the following immediate consequences:
- Transfers of personal data from the EU to the US currently covered by Safe Harbor will be unlawful unless they are suitably authorised by data protection authorities or fit within one of the legal exemptions.
- Multinationals relying on Safe Harbor as an intra-group compliance tool to legitimise data transfers from EU subsidiaries to their US parent company or other US-based entities within their corporate group will need to implement an alternative mechanism.
- US-based service providers certified under Safe Harbor to receive data from European customers will need to provide alternative guarantees for those customers to engage their services lawfully.
It is also critical to appreciate that the CJEU did not rule on whether the Safe Harbor principles were sufficiently close to the European data protection standards. The CJEU ruled that Safe Harbor is no longer a valid mechanism to legitimise data transfers because it does nothing to address the potentially excessive interference of US law with the fundamental rights to privacy and data protection that exist under EU law. Therefore, any alternative mechanisms being relied on will need to address this specific point by ensuring that they refer to this potential conflict in a data protection compliant way.
Data transfers can lawfully be made with the consent of the individual. However, consent must be freely given and while it is possible to make consent a condition for the provision of a non-essential service, consent is unlikely to be valid if the individual has no real choice. This is particularly the case in the context of employment where, if an existing employee is required to agree to the international transfer of personal data any consent given is unlikely to be valid if the penalty for not agreeing is dismissal.
Consent must also be specific and informed. This means that the individual must know and understand what such consent will amount to. Individuals should be informed of the reasons for the transfer and, if possible, the countries involved. In addition, any identified risks involved in the transfer should be brought to the individual’s attention. As a result, in practice it will be very difficult to make a valid argument that consent provides a lawful basis to legitimise international data transfers.
The EU authorities’ position
The EU Article 29 Working Party issued a statement following the CJEU decision emphasising that affected businesses should start to put in place legal and technical solutions in a timely manner to meet EU data protection standards. The statement gave a January 2016 deadline for companies to come into compliance with the ruling, at which point EU data protection authorities would be “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
Therefore, the EU data protection authorities have made it clear that they expect companies to ensure an adequate level of protection for European data at all times. In the meantime, the Working Party will continue to analyse the available transfer tools, such as the Standard Contractual Clauses and Binding Corporate Rules, but these transfer mechanisms can be subject to investigation by data protection authorities to protect individuals in “particular cases,” for instance on the basis of complaints.
Before the January 2016 enforcement deadline, companies that previously relied on Safe Harbor for their EU to US transfers should follow this process:
- Carry out a data transfers assessment to identify which data transfers from the EU to the US had been legitimised by Safe Harbor.
- Prioritise key transfers for the business by reference to the nature of the data and its use.
- For intra-group transfers, identify all of the entities involved and assess the most suitable alternative to Safe Harbor. In the short term, this is likely to involve an interim contractual solution whilst more permanent mechanisms – such as BCR – are considered.
- For transfers to service providers, review any existing contracts for references to Safe Harbor and determine whether the relevant vendor is offering a suitable contractual option or is able to rely on a Processor BCR.
- US-based service providers should consider the most appropriate legal mechanism to enable customers to continue to use their services lawfully.
- Finally, whatever the mechanisms used, ensure that they include suitable measures to deal with requests for disclosure of personal data by law enforcement authorities.
Eduardo Ustaran is a partner in the Privacy and Information Management practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email firstname.lastname@example.org. Twitter @EUstaran. This piece originally appeared on the Internet Newsletter for Lawyers and is shared with the author and publisher’s permission.