What port in a data storm? EU-US data transfers after the Schrems decision

Published: 11/12/2015

This article was first published in DataIQ

On 6 October 2015 the Court of Justice of the European Union (CJEU) made its landmark ruling in the case of Maximillian Schrems v Data Protection Commissioner (C-362/14) declaring Decision 2000/520 of the European Commission (the Safe Harbour Adequacy Decision) invalid. The ruling, which is immediately effective, has caused widespread consternation amongst the thousands of businesses that have relied on Safe Harbour to validate transfers of personal data from the EU to the US in the 15 years since its introduction.

It is suggested that those seeking a fuller understanding of the ruling read this article, which includes a review of the legal and factual background to the case and summarises the reasoning of the CJEU, in full. Those seeking more specific advice on alternatives to Safe Harbour and practical steps required in light of the ruling will find the sections on Alternatives to Safe Harbour and Next Steps – A Practical Checklist of most relevance.

The case in context

Under Article 25 of the EU Data Protection Directive (95/46/EC) (the Directive) a business may not transfer personal data to a country outside of the EEA unless the recipient country provides an adequate level of protection for that data. This requirement is implemented into UK law as the eighth data protection principle in the Data Protection Act 1998. The European Commission (the Commission) has made a positive finding of adequacy in respect of a handful of countries (Andorra, Argentina, Canada, Faroe islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay) enabling data controllers to transfer personal data to those countries freely and without need to take any further action to ensure compliance with Article 25. The US is a notable omission from this list of countries.

Despite an overwhelming commercial demand for freedom to transfer data to the US, a finding of adequacy in respect of the US by the Commission has been impossible given the dearth of effective national data protection legislation in the US. Safe Harbour, negotiated between the Commission and US government as a political compromise, enabled transfer of data to the US without necessitating a finding of adequacy by the Commission. Under Safe Harbour, US companies agree to adhere to a set of privacy principles (a condensed version of those in the Directive) and submit to enforcement by the US Federal Trade Commission. Once registered under Safe Harbour, a US company is treated as meeting the adequacy requirements in the Directive and data controllers may transfer personal data to that company freely. More than 4000 US companies have completed the registration process with the US Department of Commerce and now rely on Safe Harbour to enable transfers of data to the US.

Safe Harbour, already the subject of criticism and review, came under fresh scrutiny following Edward Snowden’s 2013 revelations regarding US National Security Agency (NSA) data surveillance practices. EU-US negotiations regarding the introduction of a revised Safe Harbour (dubbed Safe Harbour 2.0) intended to address shortcomings in the existing scheme had been ongoing for two years at the time of the CJEU's ruling.

The case - a factual and procedural overview

Mr Schrems, Austrian law student, privacy advocate and Facebook user, made a complaint to the Irish Data Protection Commissioner (DPC) seeking to prevent Facebook from transferring his personal data to the US. Schrems argued that US law and practice did not afford adequate protection for his data against the mass surveillance brought to light by Snowden. The DPC rejected Schrems’ complaint as unfounded on the basis that it was bound by the Safe Harbour Adequacy Decision.

Schrems challenged the DPC's decision before the Irish High Court. The court found that whilst electronic surveillance and interception of personal data transferred to the US may serve necessary objectives in the public interest, the Snowden revelations demonstrated a “significant over-reach” on the part of the NSA and other US federal agencies. The court also found that EU data subjects have no effective right to be heard as part of the US oversight proceedings. The court considered that the Safe Harbour Adequacy Decision failed to satisfy the requirements of Article 7 (right to respect for private life), Article 8 (right to protection of personal data) and Article 47 (right to a fair trial) of the Charter of Fundamental Rights of the European Union (Charter).

The Irish High Court referred the following questions to the CJEU:

  • When determining a complaint that a third country’s law and practices do not contain adequate protection for data being transferred to it, is a national supervisory authority (such as the DPC) bound by the Safe Harbour Adequacy Decision, having regard to Articles 7, 8, and 47 of the Charter and Article 25 of the Directive?

  • May and/or must the DPC conduct its own investigation of the matter in light of factual developments (such as the Snowden revelations) since the Safe Harbour Adequacy Decision was made?
The CJEU’s decision - key findings

The CJEU held that

  • a national supervisory authority may examine the claim of a data subject concerning processing of personal data transferred from a member state to a third country when that data subject contends that the law and practices in force in the recipient country do not ensure an adequate level of protection and that it may apply appropriate remedies where breach is found.

  • the Safe Harbour Adequacy Decision is invalid.
The CJEU emphasised that where the validity of a Commission decision is in question, both national supervisory authorities and individual data subjects must be able to bring proceedings before the national courts so that the case can be referred to the CJEU. As a matter of jurisdiction, only the CJEU may declare a decision of the Commission to be invalid.

The CJEU’s reasoning - why did it find invalidity?

The CJEU did not find Safe Harbour in itself to be invalid. Safe Harbour is still in operation; the US Department of Commerce continues to accept new applications and to issue renewal certificates and those signed up to Safe Harbour are still bound by its principles. What the CJEU found to be invalid was the Safe Harbour Adequacy Decision. Therefore, whilst Safe Harbour remains in place, businesses can no longer rely on the fact that a US Company has registered under Safe Harbour to satisfy the adequacy requirements under Article 25 when transferring data to the US.

In considering the validity of the Safe Harbour Adequacy Decision, the CJEU determined that the Commission was required to find that the US ensures, through its domestic laws or international commitments, a level of protection of data subjects’ fundamental rights equivalent to that guaranteed by the Directive read in light of the Charter.

The CJEU observed that Safe Harbour is based on voluntary self certification, is only applicable to those US undertakings that agree to adhere to it and that US public authorities are not subject to Safe Harbour. The CJEU particularly noted that US national security requirements take priority over Safe Harbour so that any US undertakings certified under Safe Harbour are bound to
disregard the Safe Harbour principles where they conflict with any US national security, public interest or law enforcement requirements. US legislation allows US public authorities access, on a generalised basis, to data transferred to the US without qualification or limitation by reference to specific objectives or objective criteria. Under US legislation a data subject has no rights to access data or to obtain rectification or deletion of data. Finally, the CJEU found that the Safe Harbour Adequacy Decision restricts certain powers granted to national authorities under the Directive. 

The CJEU concluded that fundamental rights of data subjects under the Charter had been compromised and that the Safe Harbour Adequacy Decision must therefore be declared invalid.

Alternatives to Safe Harbour

The Article 29 Working Party (an advisory body established by the Directive) released a statement following the ruling confirming that transfers taking place under Safe Harbour are now unlawful. Although negotiations for Safe Harbour 2.0 are continuing it is uncertain when these will reach a conclusion. In the longer term it is entirely possible that businesses will be able to look to Safe Harbour 2.0 to validate EU-US data transfers but those which wish to continue transferring data to the US in the interim need to start reviewing and implementing alternative measures as soon as possible.

Alternative measures under the Directive include:
  • EU model clauses
The Commission has approved standard contractual clauses for both controller to controller and controller to processor data transfers. For many, implementation of Model Clauses will offer the most realistic alternative to Safe Harbour though any business planning on adopting this measure should take time to fully understand how the Model Clauses work and the obligations they impose. The following issues are particularly noteworthy:

  • Model Clauses may be used either on a stand-alone basis or incorporated into other contracts but in either case the Model Clauses must be used in their full and original form to ensure compliance with Article 25. Use of amended Model Clauses (even a simple change of wording which has no impact upon their practical effect) will not constitute use of authorised Model Clauses as required to demonstrate adequate safeguards for data transfers. Businesses seeking to incorporate Model Clauses into contracts should take particular care to ensure that no other contractual term impacts upon the effect of the Model Clauses. Whilst there is nothing preventing businesses from deviating from the Model Clauses and creating entirely bespoke contractual solutions if they so wish they must be prepared to evidence how their contracts provide adequate safeguards if challenged.

  • Model Clauses will not be applicable in every situation; in particular, there are currently no model clauses in place for processor to processor transfers.

  • The Model Clauses contain onerous sub-processing obligations requiring data processors to ensure that their sub-processors have signed up to terms identical to the Model Clauses. This can prove difficult and it may take time for data processors to get their houses in order.

  • Finally, a somewhat obvious point but one which bears repeating. A business will not ensure compliance with Article 25 simply by the act of signing the Model Clauses – effective implementation demands that the business actively shapes its operational procedures to adhere to the obligations and restrictions set out in the Model Clauses on an ongoing basis.

  • Binding Corporate Rules (BCRs)
BCRs allow multinational groups to make intra-group cross-border data transfers in compliance with Article 25. Those considering implementation of BCRs should take note of the following:

  • BCRs do not offer a quick fix; the implementation process is complex and lengthy. Groups must prepare a single set of coherent rules that can be implemented across the group which require approval by one lead data protection authority with the assistance and oversight of two others. The approval process itself will take a minimum of 12 months.

  • BCRs only cover intra-group transfers. Separate measures will be required in respect of any extra group data transfers.

  • Data protection authorities can withdraw their approval for a company’s BCR declaration though no examples of this happening in practice are known.
It should be noted that commentators and data protection authorities alike have been quick to voice concerns that both the BCRs and the Model Clauses could face findings of invalidity on the same grounds as Safe Harbour. The German data protection authority for the state of Schleswig-Holstein has adopted a particularly hard-line approach, releasing a public position statement in which it advises that use of Model Clauses can no longer be permitted and makes explicit reference to its powers to impose fines of up to €300,000 for breach of German data protection laws.

The Article 29 Working Party acknowledged in its own statement that there are genuine concerns regarding the use of Model Clauses and BCRs following the ruling but nevertheless encourages businesses to look to these as an alternative solution to Safe Harbour. As matters stand, it would appear that Model Clauses may be the only realistic alternative for many businesses in the short term but that those relying on them as an alternative to Safe Harbour would be well advised to continue to closely monitor the situation and be prepared for the fact that further change may be required in the future.

  • Derogations

  • Data transfers can be made to third countries without regard to the adequacy requirements in any of the following apply:

  • The data subject has given unambiguous consent.

  • The transfer is necessary for the performance of a contract between data subject and data controller.

  • The transfer is necessary for conclusion or performance of a contract concluded in the interests of the data subject between the data controller and a third party.

  • The transfer is necessary or legally required on important public interest grounds or for the establishment, exercise or defence of legal claims.

  • The transfer is necessary to protect the vital interest of the data subject.

  • The transfer is made from a public register.
Use of the derogations will need to be carefully reviewed in each case bearing in mind guidance issued by the Information Commissioner regarding their use. For example, whilst consent may appear at first glance to be a convenient solution, it is clear from the guidance that not only may it be difficult to obtain appropriately informed consent but that consent is not viewed as a viable option for long term structured data transfers. However, depending upon the business model, derogations can provide a useful source of solutions, at least as an interim measure.

On a more practical note, businesses are advised to review their operational procedures and consider whether opportunities exist for addressing compliance issues through operational changes such as switching to alternative suppliers within the EEA or anonymising data.

Next steps – a practical checklist

At this stage further guidance is still awaited from data protection authorities and, whilst it cannot be ruled out, no immediate enforcement action is anticipated. However, businesses do need to review their positions as a matter of priority and at least identify, if not yet actively implement, new compliance measures. The following steps may assist businesses in this process:

  • Map data flows to identify any EU – US data transfers (consider data transferred as part of core goods/service offering or business function; transfers within the network or group; use of processors and sub-processors; use of business systems such as email, CRM platforms or cloud-based data storage).

  • Review transfer arrangements to establish whether Safe Harbour is used – contact processors and service providers to find out what measures they have in place and what changes they are making.

  • Consider what alternative measures may be appropriate in the short term – look at application of derogations, use of Model Clauses, operational changes.

  • Consider longer term strategy – consider BCRs as well as Model Clauses, derogations and operational changes.

  • Keep updated as further guidance is released by data protection authorities and announcements made on Safe Harbour 2.0. Consider whether further changes will be required when the new General Data Protection Regulations come into force (expected 2017).

  • Consider updated/new registrations, approvals or notifications needed with data protection authorities.

  • Review and update privacy policies, notices, consents, internal policies procedures as well as contractual arrangements with third parties.

  • Consider impact on any specific projects that are underway or planned.

  • Keep written records of all measures considered and actions taken.

  • Keep stakeholders informed.

For further information on data transfers please contact Kitty Rosser. This article provides only a general summary and is not intended to be comprehensive. Specific legal advice should be taken in any individual application. Law covered as at December 2015.

People Finder