In October 2015, the Court of Justice of the European Union (CJEU) delivered its eagerly-awaited decision in the Facebook “Safe Harbour” case (Maximillian Schrems v Data Protection Commissioner, Case C-362/14, 6 October 2015).
The court’s decision effectively demolished the existing Safe Harbour regime as we know it, and arguably sent a seismic tremor through the European privacy world and beyond. Without a doubt, its impact was most strongly felt in relation to EU-US data transfers, affecting thousands of US-based businesses with EU clients and staff (at the time of writing, the online US Safe Harbour list of companies contains more than 5,500 entries).
This article reviews the Schrems decision, considers where we are now, and looks at what the future may hold for EU-US personal data transfers.
The export of personal data outside the EU is heavily regulated by EU law. At a high level, the Charter of Fundamental Rights of the EU includes the right to protection of personal data (Article 8). To give effect to this, the EU’s Data Protection Directive (95/46/EC) sets out the following regime:
In 2000, the European Commission determined that the US Safe Harbour regime (under which businesses self-certify that they comply with a series of practices which were thought to be broadly consistent with EU privacy expectations) constituted “adequate safeguards” for the purposes of the Directive (2000/520/EC). Unfortunately, that determination was before Edward Snowden revealed in 2013 widespread surveillance by the US National Security Agency of EU personal data transferred to “Safe Harbour” entities in the US.
Max Schrems, the Irish Data Protection Commissioner and the CJEU
In light of the Snowden revelations, Max Schrems (an Austrian Facebook subscriber) made a complaint to the Irish Data Protection Commissioner about Facebook exporting his personal data (from its EU base in Ireland) to the US. The Irish Commissioner rejected his complaint because Facebook (specifically, Facebook, Inc.) is a registered US “Safe Harbour” company under the US Safe Harbour regime. Mr Schrems appealed that decision to the Irish High Court and the High Court referred two questions of law to the CJEU.
In its decision, the CJEU said that:
So what now?
2018 and beyond: the General Data Protection Regulation
Before discussing Schrems it is worth mentioning the General Data Protection Regulation (GDPR).
On 15 December 2015 the EU Commission, Parliament and Council of Ministers announced that they had finally reached agreement on the text of the GDPR. Replacing the current Directive, the GDPR will come into force in 2018 and be directly applicable throughout the EU. Unlike the Directive, it will not rely upon the various EU countries to enact their own implementing legislation. For the first time, the EU will have one data privacy law applicable across its entire territory.
So how relevant is the Schrems decision given that we are about to usher in a new age of EU data privacy regulation?
The short answer, at least in the context of data transfers, is that Schrems remains very relevant. Those expecting significant changes to the existing regime will be disappointed. Most of the GDPR simply reflects the existing rules of the Directive, but with some of the unnecessary red tape removed (such as requiring prior authorisation for transfers based on Binding Corporate Rules (BCRs)).
So, for now, the CJEU’s decision in Schrems and its broader impact on data transfers outside the EU, are likely to be just as relevant to the new GDPR as they are to the Directive.
Post-Schrems Options for EU-US Data Transfers
The loss of the current Safe Harbour regime is not the end of the world when it comes to EU-US data transfers. At least, not entirely, although reactions to the decision have been varied.
So, what are the options?
Option One: Do Nothing … for Now
Or, as the UK regulator has suggested, “Don’t panic”!
On 27 December 2015, David Smith (Deputy Commissioner and Director of Data Protection) wrote a blog recommending that data controllers shouldn’t rush to exit the existing regime, essentially because “the Safe Harbor does at least provide [EU data subjects] with some genuine protection even if such protection is imperfect”.1 In a similar vein, it is worth noting that the US Department of Commerce continues to operate the Safe Harbor regime, albeit it now comes with a health warning on its first page.2
There is no reason in principle why a particular EU data controller cannot continue to rely upon the old Safe Harbor regime on the basis that, in its particular circumstances it continues to provide “adequate safeguards” within the meaning of the Directive. Blanket Safe Harbor approval may have been washed away, but it may arguably still be justifiable in the particular circumstances of a transfer – a position the UK regulator appears to be open to, though possibly not other regulators (though the Article 29 Working Party did issue a moratorium on enforcement action until the end of January 2016 at least).
Option two: Article 26(1) Consent
The first non-Safe Harbor option to consider is consent of the data subject for the transfer of their personal data outside the EU (Data Protection Directive, Article 26(1)). Unfortunately, this option is difficult in the HR context for two reasons.
First, it is often impractical to obtain consent from all EU-based employees, raising the problem of how to deal with those from whom consent is unable to be obtained.
Secondly, the very concept of freely-given consent in the HR context is met with suspicion by EU data privacy authorities. As the UK’s Information Commissioner puts it: “There are limitations as to how far consent can be relied on in the employment context to justify the processing of personal information. To be valid, for the purposes of the [law], consent must be “freely given”, which may not be the case in the employment environment.”3
So relying upon consent is, unfortunately, not recommended when it comes to employees.
Option three: Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs)
In the immediate aftermath of Schrems, the EU’s Article 29 Working Party (the standing EU committee overseeing data privacy matters) rushed to point out there still exists other options under the Directive for transferring personal data between the EU and the US.4 It was referring specifically to the use of SCCs and BCRs.
SCCs are (as their title suggests) a set of standard contractual clauses that may be entered into between an EU data controller and a third party outside the EEA. They were issued by the European Commission under Article 26(4) of the Directive, which expressly allows it to approve standard contractual clauses for personal data transfers to third parties in non-EEA countries.
BCRs are legally enforceable rules dealing with the transfer of personal data outside the EEA between members of the same corporate group. They are a form of alternative “adequate safeguard” within the meaning of Article 26(2) of the Directive blessed by the Article 29 Working Party5, though in the future they will be dealt with directly in the GDPR.
Opinions have been mixed on the extent to which SCCs and BCRs may also now be invalid in light of the Schrems decision. The issue is whether the Snowden revelations and Schrems mean that approved SCCs or BCRs are also invalid, given that the considerations identified by the CJEU and applicable to the Safe Harbor regime are potentially also applicable to other mechanisms under the Directive.
At one end of the spectrum, both the European Commission and the Article 29 Working Party remain upbeat and continue to sing the praises of SCCs and BCRs. At the other end of the spectrum, at a special meeting of the German Data Protection Commissioners (the DSK) in Frankfurt on 21 October 2015, the DSK published a position paper stating that not only would they not allow any further “Safe Harbour” transfers out of Germany, but they would also hold off on allowing any new registrations based on SCCs or BCRs pending an independent review of their validity.6
So, for now, it remains questionable whether in the long term SCCs and BCRs will continue to be viable options to the Safe Harbor regime. However, in the short term, for businesses with the resources to do so there is no reason why they shouldn’t use SCCs or BCRs as a back-up to the Safe Harbor regime.
Option four: the Safe Harbor 2.0
Even before the Snowden and Schrems developments, concerns were being raised as to the efficacy of the existing Safe Harbor regime.
On 27 November 2013 the European Commission issued a communication noting that “The current Safe Harbour arrangement is based on the voluntary adherence of companies, on self-certification by these adhering companies and on enforcement of the self-certification commitments by public authorities. In this context any lack of transparency and any shortcomings in enforcement undermine the foundations on which the Safe Harbour scheme is constructed.” (Brussels, 27/Nov/2013, COM(2013) 847). It went on to suggest a 13-point plan for updating the Safe Harbor principles.
Discussions have been ongoing since then on the creation of a Safe Harbor 2.0. Schrems didn’t lead to the review; if anything, all the decision did was to provide a timely kick in the proverbial backside.
And as recently as 7 January 2016, the European Data Protection Supervisor (EDPS), Giovanni Buttarelli, issued a press release setting out his team’s priorities for 2016. Not surprisingly, his list included “adequate protection in international data transfers”.7
So where are we now?
The short answer is that at he time of writing, we still await finalisation of a new Safe Harbor regime. However, time is quickly running out: the Article 29 Working Party has only given the EU and US until the end of January 2016 to come up with a workable proposal, before it encourages data protection authorities to start considering enforcement action.
The Snowden revelations and the subsequent Schrems decision have shone a very focussed light on EU-US data transfers.
In doing so, they have highlighted serious inadequacies in the existing Directive and, in particular, the Safe Harbor regime. Although alternative legal mechanisms for transferring personal data outside the EU theoretically exist, in practice none are completely satisfactory.
Unless the EU and US are able to reach a consensus on law reform shortly, which may involve a root-and-branch update of existing EU and US privacy laws, the position is likely to continue to be wholly unsatisfactory for organisations trying to conduct transatlantic business in the foreseeable future.
1 “The US Safe Harbour – breached but perhaps not destroyed!”, 27 October 2015. https://iconewsblog.wordpress.com/2015/10/27/the-us-safe-harbor-breached-but-perhaps-not-destroyed.
3 The Employment Practices Data Protection Code, found at https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf.
4 Press statement, Brussels, 16 October 2015. http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf.
5 Working Document: Transfers of Personal data to third countries: Applying Article 26(2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers (June 2003) http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2003/wp74_en.pdf.