Data Protection Report - Norton Rose Fulbright

This week, the Court of Justice of the European Union (“CJEU”) ruled that the EU-US Safe Harbor Decision is invalid in Case C-362/14 (the “Schrems” case).  This followed a similar opinion from its Advocate General, which also sets out the facts of the case.

The decision will impact businesses that rely on the EU-US Safe Harbor to legitimize their storage in, or access from, the US of personal data that is subject to EU data protection rules. It could affect cloud service providers, companies that use cloud services, intragroup shared services and any other export flows to the US that rely on Safe Harbor for data transfer.

In this post we look at what the CJEU decided and on what grounds, and what affected businesses should do next.

Key elements of the decision

CJEU declares EU-US Safe Harbor invalid – The CJEU found and declared the EU-US Safe Harbor invalid on the following grounds:

  • the Commission could only find that the EU-US Safe Harbor Decision provided adequate protection if it provided a level of protection that was essentially equivalent to that guaranteed by the EU through the Data Protection Directive 95/46/EC and the Charter of Fundamental Rights of the EU;
  • a key element of equivalence is that the “legal order” of the US (i.e., its domestic law or international commitments) must ensure an adequate level of protection of personal data;
  • currently, the EU-US Safe Harbor Decision contains a derogation for national security, public interest or law enforcement requirements and an explicit requirement for self-certified organizations receiving EU data to comply with those requirements to the extent they conflict and are incompatible with the Safe Harbor principles;
  • an adequate level of protection in this context requires clear and precise rules governing the scope and application of a measure that interferes with an individual’s privacy rights (such as those used in the US for national security purposes) which impose minimum safeguards, so that personal data are effectively protected against the risk of abuses and unlawful access;
  • adequate protection also requires an avenue for the individuals/data subjects to seek effective judicial protection and the right to pursue legal remedies in order to have access to their personal data or to obtain rectification or erasure of such data;
  • the CJEU found that the EU-US Safe Harbor Decision made no assessment of these two latter points and therefore was invalid. The court also found that the EU-US Safe Harbor Decision was invalid on the basis that it precluded DPAs from challenging its validity via a reference to the CJEU from its national courts.

Impact for businesses

All transfers made solely under EU-US Safe Harbor are immediately invalid

The ruling does not contain transitional measures, nor does it address the status of transfers made under the EU-US Safe Harbor before October 6, 2015.

The Commission and Article 29 Working Party (made up of representatives of DPAs of all 28 EU member states) are meeting this week to consider how to coordinate the DPAs’ response to these questions. Commission or Article 29 Working Party guidance is expected in the next two weeks, but in the meantime national DPAs have been issuing their own interpretations.

This leads to the question of whether it is safe to wait for a new Safe Harbor “II” to be agreed or whether immediate steps should be taken to find a new means of legitimizing personal data export to the US.

How quickly will Safe Harbor II be agreed?

The negotiations on revisions to the EU-US Safe Harbor Decision had been reported to be near to finalization. However, it is not clear whether Safe Harbor II will satisfy the CJEU tests, nor whether the US legislature has the appetite to make these changes. In addition once (or if) a Safe Harbor II is agreed, the changes may require some lead time for organizations to implement before they re-certify.

Absent a very strong political impetus to compromise, there is likely to be a delay of at least several months before businesses will be able to rely on Safe Harbor II.

Derogations that can be used

In addition to adequacy decisions, there are a number of derogations that could be used which may not have been fully considered by your business when the decision to use EU-US Safe Harbor was originally taken. Data subject consent is the most obvious, although doubts exist as to its viability where there is an imbalance between the controller and individual or where the individual cannot in practice withdraw his or her consent. As a first step, these derogations should be checked to ascertain which transfers can be legitimized without further action.

If your business is already subject to binding corporate rules, most likely it will be in the same position as a business that adopts EU model clauses (discussed below) although there is no Commission decision governing the use of binding corporate rules.

EU Model Clauses

The solution that most organizations are reaching for at this point is the EU Commission approved model clauses (“EU Model Clauses”). There are a number of different versions catering for transfers to importers who receive the personal data as a processor or as a controller. The validity of EU Model Clauses is also dependent on EU Commission decisions (e.g., Commission Decision 2010/87). However, those decisions (unlike the EU-US Safe Harbor Decision) expressly allow DPAs to suspend data flows under the EU Model Clauses if the importer country national security derogations go beyond what would be acceptable under EU law. As a result, the EU Model Clauses themselves should not be open to an invalidity challenge on the grounds that they are inherently unworkable. However, there is still a risk that a DPA could determine, particularly on the basis of US surveillance practices and the lack of judicial redress for EU citizens in the US, that the US does not meet EU standards in this respect and therefore transfers under the EU Model Clauses should also be suspended.

Will national level enforcement action come quickly?

We understand that Mr. Schrems’ case is due to come back before the Irish High Court shortly. It is possible that Mr. Schrems will continue to probe whether DPAs should or should not be suspending data flows under the EU Model Clauses or otherwise on the basis of the (lack of) protection available under the current US legal system. However, in the Irish proceedings it should be possible for Facebook and others, including possibly the US government, to plead these issues in a way that was not possible before the CJEU.

Even if DPAs choose to be relatively lenient in their follow up (particularly as some DPAs must be consulted and give prior approval before export using the EU Model Clauses can be used, leading to possible backlogs), other individuals may complain to them forcing them to act with some urgency. It is also possible, under different conditions in different member states, for individuals to bring actions in the courts to enforce their data protection rights, which may also lead to a more urgent need to find a workable solution.

What should businesses do now?

In the short term, despite its risks, implementing an EU Model Clause solution will be the solution for most businesses (unless another derogation is available). In the long term, it seems Safe Harbor II may be the only truly reliable solution. However, the CJEU has set a high bar, and the precise road ahead quite difficult to predict. Unfortunately, we are set for some uncertainty in relation to international transfers as a result of the Schrems decision that may take some time to work through.

Get more information at our EU-US Safe Harbor breakfast briefing in our London office on November 3, 2015 at 9 am

We are hosting a breakfast briefing in our London office on the impact of Schrems, what compliance with the EU-US Safe Harbor regime requires (or required!) in practice and the alternatives, on November 3, 2015 at 9 am.

The briefing will be led by Boris Segalis (US co-chair of Norton Rose Fulbright’s Data Protection, Privacy & Cybersecurity practice group) and Marcus Evans (European chair). If you would like to attend please click here to register.

Feel free to contact the authors of the post, and make sure to sign up for the blog to continue receiving updates on this and other important data protection topics.