Earlier this week, the Court of Justice of the European Union (CJEU) issued its long-awaited ruling in the case of Maximilan Schrems v. Irish Data Protection Commissioner (C-362/14) and basically killed the Safe Harbour Decision, adopted by the European Commission in 2010 for cross-border transfers of personal data from the EU to the US. This is the beginning of a new era in terms of EU-US data exchanges or even data protection regulation "tout court".
A recap of the facts
The case started with a young Austrian citizen, Max Schrems, with a Facebook account.
When Max heard Edward Snowden's revelations in 2013 about the massive and undifferentiated surveillance by US intelligence services on personal data in, amongst others, social media platforms, he felt something was not right. He lodged a formal complaint with the Irish Data Protection Authority (DPA) claiming the US laws and practices did not offer adequate protection against the US surveillance practices on Facebook, as required under EU law to safeguard EU fundamental rights to privacy and data protection.
The Irish DPA rejected the claim arguing their hands were tied as the European Commission itself had confirmed in 2010 that the US, or at least its Safe Harbour framework, offered an adequate level of protection. In appeal, the High Court of Ireland did not find the situation to be so self-evident and escalated the case to the CJEU. The key question at hand was whether a national DPA is bound by such a decision of the European Commission in the course of an investigation.
What exactly is Safe Harbour?
Under the existing Data Protection Directive (95/46/EC), personal data can only be transferred outside the EU if the country of destination provides an adequate level of protection. The European Commission has the power to decide whether a country offers an adequate level of protection via adequacy decisions. In 2000 it adopted the Safe Harbour Decision, which was one of the core mechanisms in the past 15 years for personal data transfers from EU to US organisations having voluntary self-certified under the US Safe Harbour framework).
What did the CJEU decide?
Law Square was present at the hearings and it was clear that the CJEU meant serious business. Both the Judge Rapporteur and the Advocate General took the opportunity to drill into the key principles and critical issues at hand regarding EU data protection law. The events translated in the somewhat expected – though still bold –CJEU Judgment of last Tuesday 6 October 2015 declaring the Safe Harbour adequacy decision invalid. In line with Advocate General Bot's opinion, the CJEU argued that the existence of a Commission Decision cannot eliminate or reduce the powers of national DPA's under EU law. In other words, national DPA's maintain their powers to investigate in full independence whether a transfer of personal data is in line with EU data protection law, irrespective of whether there is an adequacy decision. The CJEU Judgment also offers other ground-breaking arguments which will fuel forthcoming Law Square news alerts.
What does this mean for businesses?
Personal data transfers to the US based on Safe Harbour are now unlawful. If you are transferring personal data from the EU to the US, this matter should be put on the next agenda of your board or decision-makers. Also check with your IT suppliers whether they route your personal data through the US in any way.
New impact / adequacy assessments need to be performed and corrective measures need to be put in place to provide a lawful basis for these cross-border transfers as soon as is reasonably possible within your organisation. There are in fact other options aside from Safe Harbour.
Tackle this issue as soon as possible. While we expect some leniency from DPA's in the wake of the CJEU Judgment, we cannot exclude that some DPA's will take immediate enforcement actions. In that case, it's best if you at least have an assessment and action plan ready.