Do the United States provide an adequate level of protection for EU personal data?

On Monday 6 October 2015, the European Court of Justice based in Luxemburg (hereinafter “the Court”) in a preliminary ruling has declared a European Commission’s Decision invalid. That decision states that the United States of America ensures an adequate level of protection for the transfer of EU personal data. 

This judgment (C-362/14 Maximillian Schrems/ Data protection Commissioner) is important since various companies with activities in the EU that rely on data transfer to the United States are targeted directly.

1. The mechanism of the “Safe Harbor Framework”

According to article 25 of the European Data Protection Directive 95/46/EC (hereinafter “the Data Protection Directive”), personal data can only be transferred from within the EU to a third country if that country ensures an “adequate level of protection”.

In accordance with article 25, section 6 of the Data Protection Directive, the Commission adopted a decision on 26 July 2000 (hereinafter “Decision 2000/520/EC), that provides for an adequate level of protection through a mechanism, the “Safe Harbor Privacy Principles”, and accompanying guidelines (Frequently Asked Questions), published by the United States (US) Department of Commerce.

This mechanism specifically allowed companies to transfer personal data from the EU to companies in the US who are part of the program if they commit themselves unequivocally and publicly, through self-declaration and self-evaluation, to comply with the Safe Harbor Principles in accordance with the accompanying guidelines.

Companies like Facebook or Google, that use servers in the US to store personal data, or other companies, that store personal data in the “cloud” on servers in the US, subscribed to the “Safe Harbor Principles” and consequently had the necessary certificates to ensure an adequate level of protection of EU personal data in the US.

2. The Court decides that the current EU-US Safe Harbor Framework is invalid

2.1 Case

Maximillian Schrems, an Austrian citizen, has been a Facebook user since 2008. As is the case with other subscribers residing in the EU, some or all of the data provided by Mr Schrems to Facebook is transferred from Facebook’s Irish subsidiary to Facebook’s parent company of which the servers are located in the US, where it is processed. 

Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the Snowden revelations made in 2013 concerning the mass surveillance activities of US intelligence services, the law and practice of the US do not offer sufficient protection against surveillance by the public authorities of EU personal data transferred to that country. 

The Irish authority refused to investigate and rejected the complaint, on the ground that Commission Decision 2000/520/EC installed a ‘Safe Harbor’ scheme and thus the US provided an adequate level of protection for the transfer of EU personal data.

Therefore, Mr Schrems lodged an appeal before the Irish High Court, which in turn decided to refer two questions to the Court for a preliminary ruling, which seek, in essence, to ascertain whether Decision 2000/520/EC, read in the light of Articles 7 and 8 of the Charter, must be interpreted as preventing a national supervisory authority from 
(i) investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and 
(ii) where appropriate, from suspending the transfer of that data if that national supervisory authority considers that a third country does not ensure an adequate level of protection.

2.2 Judgment of the Court of Justice

The Court has decided that the Safe Harbor Framework is invalid. 

Its reasoning was the following.

The Court of Justice has decided that the Safe Harbor Framework is invalid 

First, the Court analyses article 25, section 6 of the Data Protection Directive in the light of the Charter of Fundamental Rights of the EU, more specifically the fundamental right to respect for a private life and the right to protection of personal data (article 7 and 8 of the Charter) and right to an effective and impartial access to justice (art. 47 of the Charter).

The Court concludes that the existence of a Decision of the Commission does not prevent a supervisory authority of a Member State from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.

Subsequently, the Court refers to the conclusion of Advocate General Bot dated 23 September 2015 in which he argues that according to article 25, section 6 of the Data Protection Directive, the term ‘adequate level of protection’ must be interpreted as requiring the third country in fact to proceed to ensure the high level of protection guaranteed within the European Union. 

Obviously, a third country cannot be required to offer guarantees for the same level of protection as that within the EU, but it should at least ensure a level of protection of fundamental rights “essentially equivalent” to that guaranteed in the EU legal order.

Subsequently, the Court ascertains that the Safe Harbor Principles are solely applicable to self-certified US organisations receiving personal data from the EU, hence US public authorities are not required to comply with them.

Furthermore, requirements safeguarding national security, public interest, or law enforcement in the US have primacy over the Safe Harbor principles, pursuant to which self-certified US organisations receiving personal data from the EU are bound to disregard those principles without limitation whenever they conflict with those requirements. .

In its analysis the Court relies on a critical review of the European Commission, which declared that the US authorities were able to access the personal data transferred from the Member States to the US and were able to process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.

Moreover, the Court criticizes the absence in legislation that provides a possibility for an individual to pursue legal remedies in order to have access to its personal data, or to obtain the rectification or erasure of its data.

The Court emphasizes that article 25, section 6 of the Data Protection Directive requires a reasoned decision of the Commission that the third country concerned, provides actual safeguards for the protection of fundamental rights.

The Court determines that legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data have been transferred from the EU to the US without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use. 

The Court adds that legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

2.3 Impact of the judgment at the European and national level and how to act proactively?

Since the Court had to answer a question referred for a preliminary ruling, the case is now returned to the national court, therefore it is interesting to follow up the pending proceedings before the Irish High court.

Until further notice companies can no longer rely for the transfer of EU personal data to the US on the Decision of the Commission regarding the Safe Harbor Framework.

Until further notice companies can no longer rely for the transfer of EU personal data to the US on the Decision of the Commission regarding the Safe Harbor Framework

Article 26 of the Data Protection Directive provides for other derogations from transferring personal data to third countries (including the US) – even if this country does not ensure an adequate level of protection – if the persons responsible for processing personal data have, among others:

• obtained unequivocal consent of the party concerned;
• used the model contractual provisions of the Commission with the recipient of data in the third country;
• implemented binding corporate rules.

However, in practice, these derogations are not always easy to apply. 

The Article 29 Working Party argues, in its Opinion dated 16 October 2015, that for the time being the model contractual provisions and the binding corporate rules can still be used, but at the same time cautions that these means of transferring personal data should be analysed in the light of the judgment of the Court. After all, every transfer of personal data to a third country and every Decision of the Commission that allows for an adequate level of protection will be subject and have to respect the EU privacy Acquis, including the fundamental rights. 

The advisory body calls upon the policy makers to provide an “appropriate solution” by the end of January 2016. 

It should be remembered that already in 1998 the Article 29 Working Party gave further explanations on the notion “adequate level of protection”, both substantive (limit the use of information to its purpose, proportionality principle, transparency principle, respect the rights of access, rectification and opposition to information) as procedural (good level of compliance, sufficient support and help to individual data subjects, appropriate redress)

To be clear, the Article 29 Working Party is an independent advisory body composed of representatives from all national privacy protection authorities in the EU, the European Data Protection Supervisor and the European Commission.

In its press release dated 16 October 2015, the Belgian Privacy Commission refers to the Opinion of the Article 29 Working Party and will consequently organise a Forum dated 27 November 2015 with stakeholders (lawyers, legal experts and academics) in order to obtain proper and viable solutions for corporations in the short term.

The principles already exist, so in theory things could speed up, however for now we will have to await how policy makers will provide guidance in practice.