Background
On 6 October 2015, the Court of Justice of the European Union (“CJEUMaximillian Schrems v Data Protection Commissioner (Case C-362/14)”) handed down its landmark judgment in in which it declared the Safe Harbor arrangement, which allowed companies to transfer data belonging to European citizens to the US, to be invalid.
Following the CJEU’s judgment, the European Commission and US Authorities have recently reached a political agreement regarding a replacement for the Safe Harbor arrangement, which will be known as the “EU-US Privacy Shield”. However, at this stage, the practical impact of the EU-US Privacy Shield remains to be understood.
Facts
Following the revelations made by Edward Snowden in 2013 concerning the extent of access by US intelligence and law enforcement agencies to the personal data of European citizens held by US organisations, Austrian privacy activist Maximillian Schrems filed a complaint with the Irish data protection authority (“Irish DPA”). The complaint challenged Facebook’s reliance on the Safe Harbor arrangement to transfer personal data to the US. He claimed that the Safe Harbor arrangement did not provide an adequate level of protection for transferred data.
The Irish DPA rejected the complaint as it considered that Facebook’s transfers relied on an adequacy decision of the European Commission (the “Safe Harbor Decision”) and that it did not have the authority to review or challenge the Safe Harbor Decision.
Mr Schrems appealed to the Irish High Court which, in turn, referred a question to the CJEU on whether the Irish DPA was bound by the Safe Harbor Decision, or whether the Irish DPA could, or indeed must, conduct its own investigation in light of the factual developments since the Safe Harbor Decision was issued.
Decision
The CJEU ruled that a European Commission decision finding that a country outside the European Economic Area (“EEA”) ensures an adequate level of protection cannot prevent a national data protection authority from investigating a complaint alleging that an adequate level of protection is not afforded, nor prevent the national data protection authority from suspending a contested transfer of personal data. In addition, the CJEU declared the Safe Harbor Decision to be invalid as it did not provide “a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU”.
The CJEU’s judgment is significant for all organisations transferring personal data from the EEA to the US in the course of their businesses. It is no longer possible to rely on the Safe Harbor arrangement to undertake such transfers.
What’s next?
The European Commission and US authorities reached a political agreement on 2 February 2016 on a replacement for the Safe Harbor framework named the “EU-US Privacy Shield”.
The European Commission stated that the EU-US Privacy Shield will include three key elements:
- Strong obligations on companies handling EU citizens’ personal data and robust enforcement. The US Department of Commerce will monitor whether US companies publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission.
- Clear safeguards and transparency obligations on US government access. The US has given written assurances that access to personal data by public authorities will be subject to clear limitations, safeguards and oversight mechanisms. For the first time, the US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new EU-US Privacy Shield.
- Effective protection of EU citizens’ rights with several redress possibilities. Any European citizen who considers that their data has been misused under the EU-US Privacy Shield will have several possibilities of redress and US companies will have deadlines to reply to complaints. A new Ombudsperson will also be created to hear complaints on alleged access to personal data by US intelligence authorities.
Whilst the EU-Privacy Shield is a welcome development, the political agreement between the European Commission and the US is not legally binding. The Article 29 Working party is due to analyse the EU-US Privacy Shield in the coming weeks and make recommendations to the Commission before an adequacy decision is adopted. Until then, it remains unclear what practical impact the EU-US Privacy Shield will have.
In the meantime, companies should review their current EU-US data transfers mechanisms to ensure that the legal basis for any data transfers made to the US is properly understood. In addition to imposing contractual obligations on US organisations regarding their use of personal data, companies should also consider whether any additional technical measures could be implemented to improve data security. In these uncertain times, by ensuring the widest possible range of safeguards to protect EU citizens’ personal data, companies can reduce the likelihood of falling foul of data protection authorities.
Co-authored by Rachael Johnston.
