There’s a lot of talk these days about the so-called “Safe Harbour” agreement between the United States and the European Union, which the Court of Justice of the European Union (CJEU) unexpectedly struck down in October 2015. Over 4,000 U.S.-based companies were relying on Safe Harbour to legally process the personal data of EU citizens on servers based in the United States. The surprise ruling seemed to render those data transfers illegal overnight and expose the companies to the possibility of legal liability if a European data protection authority decided to challenge them.
Not only American companies are affected: European companies using U.S.-based cloud services may not be immune. And the basis on which the Court rejected Safe Harbour seemed also to leave the legality of other data transfer tools – “binding corporate rules” and “model clauses” – vulnerable to legal challenge, though they were not specifically addressed in the judgment.
So, with an estimated EUR 250 billion of trade in digital services at stake between the EU and its biggest commercial partner, how is it that the CJEU could suddenly tear up such a critical legal instrument? And more importantly, what comes next?
Under the EU data protection Directive 95/46/EC, personal data may not be sent outside of the Union for processing unless the country to which it is sent has a legal framework for data protection that is essentially equivalent to that prevailing in Europe. As the US was not considered to provide comparable protection in the 1990s, the European Commission adopted a Decision in 2000 declaring that companies who signed up to the “Safe Harbour Principles” and “Frequently Asked Questions” issued by the US Department of Commerce for the purpose (see here), could in effect create a virtual space that did provide enough protection for such transfers to be considered safe. Companies who signed up could start processing the personal data of EU citizens as from the moment they declared their adherence to the Safe Harbour principles. Enforcement of the rules was vested in the U.S. Federal Trade Commission.
In the years immediately following the adoption of the Safe Harbour Decision, in 2002 and 2004, the European Commission issued two reports on the functioning of the regime (see here and here). Both reports expressed reservations about the transparency of US signatory companies’ privacy policies, and the second one also at least implicitly questioned whether the enforcement by the FTC was assiduous enough. However, neither proposed any concrete modifications. In 2013, following the revelations by Edward Snowden about broad U.S. government access to electronic communications, including those of EU citizens, for anti-terrorism purposes, the Commission issued a Communication calling out such access as potentially incompatible with the requirements of EU data protection rules, and determined to negotiate changes to the Safe Harbour regime to address the issue. In early 2014, the European Parliament adopted a resolution calling for the suspension of Safe Harbour. Negotiations between the EU and the U.S. continued during 2014 and 2015, but had stalled on the issue of judicial redress for European citizens. A bill pending before the US Congress would go some way to addressing this final sticking point.
This is where things stood when the CJEU issued its October 2015 ruling in Maximillian Schrems v Data Protection Commissioner. Mr. Schrems, an Austrian law student, had asked the Irish data protection authority (DPA) to force Facebook to stop transferring his personal data to the US, on the basis that the U.S. rules on law enforcement access were incompatible with European data protection law. Data processed by Facebook in connection with Mr. Schrems’ Facebook account could thus indirectly be shared with the US authorities without his knowledge and without any recourse being available to him. The Irish DPA declined to hear the case, taking the view that it was beyond its competence to second-guess the legality of Facebook’s data transfers, since (1) the European Commission had duly found in its 2000 Decision that companies signed up to Safe Harbour in effect complied with EU rules, (2) the Decision was binding on all EU Member States, and (3) FB was a Safe Harbour signatory. Schrems appealed the DPA’s decision to the Irish High Court. The High Court was sympathetic to Schrems’s view that access by U.S. law enforcement authorities was incoherent with the EU data protection Directive and the European Charter of Fundamental Rights, which guarantees a right to the protection of personal data as well as rights to access and correction. The High Court felt that the Irish DPA ought to have been prepared at least to hear the case, and, going further, also queried the compatibility of the Safe Harbour Decision itself with EU law, including the Charter. The High Court submitted a request for a preliminary ruling to the CJEU, the European Union’s highest court, asking whether the fact of the Commission having adopted its Safe Harbour Decision in 2000 deprived national DPAs of any role in hearing complaints brought by their citizens in connection with its operation.
The CJEU ruled that the Safe Harbour Decision should not be construed as depriving DPAs of the right to hear complaints from their citizens, and that not only do they retain the right to hear such complaints, they have an obligation to do so. But the most striking aspect of the ruling was the Court’s finding that the European Commission had erred in adopting an “adequacy” decision in 2000 without actually finding the U.S. itself to provide an adequate legal environment, quite apart from whatever requirements and safeguards were built into the Safe Harbour Principles. So without even examining the Principles, the CJEU declared the Safe Harbour Decision invalid. No transition period was announced.
As of the time of writing, there is hope that agreement on a “safer Safe Harbour” will be reached shortly by U.S. and EU negotiators. An informal grace period of three months laid down by the 28 national DPAs comes to an end this week (1st February 2016). DPAs are also expected shortly to issue guidance on the validity (or otherwise) of binding corporate rules and model clauses, instruments approved by individual Member States that appear not to require an explicit finding of adequacy but do not in and of themselves address the law enforcement access issue identified by the CJEU and the Irish High Court.
All of which is making the first few weeks of 2016 more fraught than usual for online advertising and other companies that had been watching the post-Snowden US-EU negotiations with cautious optimism, but are now having to cope with a curve ball from the EU courts.