The EU-US Safe Harbour Agreement has been ailing for many years, but suffered particularly in its latest protracted terminal illness.
The lethal blow came on 6 October 2015 when the Court of Justice of the European Union found in Case C-362/14 Schrems v Data Protection Commissioner that the Safe Harbour Decision[1] (Commission Decision 2000/520/EC) was invalid in its entirety.[2]
While some may shout ‘good riddance’ the declaration of invalidity by the highest court of the EU raises serious questions about the feasibility of personal data transfers from the EU to the USA which comply with EU data protection law and the fundamental right to privacy, enshrined in Article 8 of the European Convention of Human Rights and Articles 7 (privacy) and 8 (data protection) of the EU Charter. This puts all organisations which make regular, automated bulk transfers of personal data from the EU to the US into a difficult position and raises questions about the legal status of those organisations (around 4,500) which are currently signed up.
Background
Since the Guardian newspaper has published successive disclosures made by former NSA security contractor Edwards Snowden about various bulk data collection programs carried out by the US National Security Agency (NSA) starting in June 2013, Safe Harbour has been viewed with a certain degree of suspicion and many felt that reforms are necessary. The EU Commission issued a Communication on 27 November 2013, which emphasized that, because of the new context of exponential growth in data flows since 2000, the importance of such flows for the transatlantic economy, the rapid growth of the Safe Harbour scheme and the disclosures on US surveillance, there was a need to review (and renegotiate) the Safe Harbour scheme; discussions on this have been ongoing in the last two years. Back in 2013 the Commission pointed out that Safe Harbour should be reviewed as to 1) transparency, 2) effective application of the principles by US companies, 3) effectiveness of enforcement and 4) large-scale access by intelligence agencies to data transferred to the USA by Safe Harbour certified companies and made a number of ‘Recommendations’. Recommendation 13 states that the national security exception foreseen by Safe Harbour is ‘only used to an extent that is strictly necessary or proportionate’.[3]
Max Schrems, an Austrian citizen and domicile has been a Facebook user since 2008 and he complained to the Irish Data Protection Commissioner about the transfer of his personal data from Austria to the US, and in particular, potential disclosure of that data to the NSA under the PRISM program (or other programs). He argued that the transborder transfer of his data was illegal under Article 25(1) of the current Data Protection Directive 1995/46/EC, as the US was not providing an adequate level of protection notwithstanding the Safe Harbour Decision 2000/520/EC.
A Facebook user of a European Member State such as Mr Schrems would of course make his contract with the Irish subsidiary, Facebook Ireland Ltd (FIL), who is likely to be the data controller with responsibility for many of the processing operations. FIL is regulated by the Irish Data Protection Commissioner and the applicable law is the Irish implementation of Directive 1995/46/EC, the Irish Data Protection Acts of 1988 and 2003.[4] According to the facts stated in the judgment, some or all of the data of Facebook Ireland’s European users is transferred to ‘servers belonging to Facebook Inc that are located in the US’ where that data is further processed. Therefore, despite the fact that Facebook Ireland’s processing is already subject to EU/Irish data protection regulation, in addition the transfers to the US parent company have to comply with the EU rules on cross-border data transfers.
The Irish Data Protection Commissioner (DPC) turned down as inadmissible Mr Schrems’ complaint, as the complainant could not prove that his data had in fact been turned over to the NSA or other US government agencies. Furthermore, the DPC held that, since the Commission has sanctioned as ‘adequate’ transfers of personal data to the US where the immediate recipient (here Facebook Inc) has joined the Safe Harbour through self-certification and complies with the Principles, it could not contradict this EU Commission finding of adequacy under Article 25(6).[5] The effect of this rejection of the complaint was that the Data Protection Commission could not prevent the transfer of personal data to Facebook Inc through enforcement action under Article 25 (1) of Directive 1995/46/EC.
On challenge to the Irish High Court, the High Court held that the transfers of personal data to Facebook Inc infringed fundamental rights under Irish law. The Irish High Court referred two questions to the CJEU under the preliminary reference procedure.
The Judgment and Issues
The case raises several distinct issues. First, it raises questions about the relationship between and the respective roles of the Commission and the independent data protection authorities in the Member States set up pursuant to Article 28, and in particular the question whether the data protection authorities can prohibit a transfer in circumstances where the EU Commission has found that the state in question provides an adequate level of protection. Secondly, flowing from this, is the question of the relationship between data protection law (Directive 1995/46/EC) and the fundamental rights to privacy and data protection laid down in the EU Charter and in particular whether a transborder data flow, although compliant with an adequacy decision under Article 25(6) of the Directive, could still be a breach of a fundamental right under the Charter (Articles 7 and 8 and the right to a fair trial in Article 47). Thirdly, it raises the question whether the Safe Harbour Decision itself has been breached by the data transfer. Fourthly, it poses the question whether Commission Decision 2000/520/EC should be declared invalid in the light of recent developments. In this context, the CJEU also discussed the meaning of the concept of ‘adequacy’.
Respective roles of the EU Commission and national data protection authorities
Although the CJEU acknowledged the importance of the role of national data protection authorities as independent enforcers,[6] as enshrined not only in Article 28 of the Directive, but also Article 8(3) of the EU Charter and Article 16(2) TFEU,[7] it nevertheless held very clearly in its judgment that the national data protection authorities are bound by an adequacy decision made by the EU Commission.[8] In other words, national data protection authorities do not have the competency to review a Commission adequacy decision and declare it or treat it as invalid, for the sake of the consistency and uniformity of the EU law.[9] However, it also found that the national data protection authorities must hear complaints about data transfers in circumstances where an adequacy finding applies.[10] The decision acknowledges that Member States national data protection authorities oversee the transfer of personal data to third countries[11] and that therefore they are vested with the power to check that such transfers are compliant.[12] Furthermore, under the regime set up by the Directive, both the national data protection authorities and the Commission have the power to declare adequacy findings.[13] However, once the Commission has made an adequacy finding the Member States are bound by it.[14]
The Court makes clear that a complaint should not be decided to be unfounded merely on the basis that there is a Commission adequacy decision in place and that the data protection authorities do not lose their oversight and enforcement powers.[15] If the data protection authority hearing the complaint has doubts about the compliance of the data transfer with the fundamental rights of privacy, data protection or the right to a fair trial, it must refer the case to the appropriate national court which then has the option to refer the question of the validity of the Commission’s adequacy decision to the CJEU, as happened in this case.[16] Only the CJEU has jurisdiction to declare a Commission’s adequacy decision invalid.[17]
Furthermore the CJEU held that despite the wording of Article 28(1) and (6), which seem to limit the scope of jurisdiction of the national data protection authorities to processing on their own territory, data protection authorities have competence to regulate data transfers on the basis that a transfer originates in the territory and therefore constitutes an act of processing within the territory.[18]
The relationship between data protection in Directive 1995/46/EC and the fundamental rights enshrined in the Charter
The CJEU’s judgment is not particularly clear on this relationship, but it is clear from the Decision that data protection is now a fundamental right which is enumerated in the same line as the fundamental right to privacy.[19]
In 1995 it seemed that the data protection regime in Directive 1995/46/EC was simply one ordinary law with the purpose of achieving one aspect of the protection of privacy (data privacy or informational privacy). Recitals 2[20], 3[21] and 10[22] and Article 1(1)[23] of the Directive make clear that the purpose of the Directive is to (1) provide for a high level of protection of data privacy and simultaneously (2) balance data privacy and free trade. These two objectives are in many instances conflicting with each other and therefore, to an extent, the 1995 Directive takes a pragmatic approach, as can be seen from the provisions on transborder data flows such as Article 25(6), which allowed for the creation of the Safe Harbour Agreement with the US.
Proclaimed in 2000 (and incorporated in the Treaties with the Treaty of Lisbon 2009) the EU Charter of Fundamental Rights elevated data protection as a ‘sacred’ fundamental right in the Charter (Constitutional law being of a higher order than ordinary EU laws). This means that, according to the Charter, data protection and privacy are now equal, fundamental rights which must be implemented by the EU institutions and the Member States as a higher legal order when considering EU law. The pragmatic approach to data protection is no longer sustainable, although the fundamental rights are not absolute and can be restricted by measures which genuinely meet general interest objectives or protect the rights and freedoms of others, as long as they are necessary to achieve that objective or the rights of others (strict proportionality test) and respect the essence of the right and are provided for by law.[24] This ‘Constitutional’ approach means that each and every engagement of data protection must be tested under this proportionality test. This is made clear by the judgment where the CJEU states in para 38 that the provisions of the Directive must necessarily be interpreted in the light of the fundamental rights guaranteed by the Charter.[25] The judgment also states that a complaint that the transfer of personal data to a third country does not provide for adequate protection of that data, notwithstanding a Commission adequacy decision under Article 25(6), should be examined in the light of that person’s fundamental rights to data protection, privacy and a right to a fair trial.[26] Finally, it is apparent from para 91 of the judgment, where the CJEU states that ‘EU legislation involving interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter must (…) lay down clear and precise rules governing the scope and application of a measure and imposing minimum safeguards (…).’
Maybe there is nothing wrong with Safe Harbour and it merely has not been complied with?
One potential argument to force the hand of the national data protection authority to take enforcement action without invalidating the Safe Harbour Decision would have been to say that the Safe Harbour provisions had not been complied with or had not been applied properly. This raises the question of whether the Irish Data Protection Commissioner had the power to stop the transborder data flows from Facebook Ireland Ltd to Facebook Inc on the basis that Safe Harbour had not been complied with.
This argument has two interesting aspects: (1) identifying the actual party in breach and whether that party is bound by Safe Harbour and (2) the extent of the powers of national data protection authorities if there is a (potential) breach of the Principles.
As to (1) the Irish Court held that the Safe Harbour Decision only imposes obligations on Facebook Ireland Ltd as transferor and Facebook Inc as transferee, and does not apply to the data processing by the US government (as the second transferee in the line). As the Attorney General pointed out in his opinion: ‘The High Court emphasises, accordingly, that the real objection is not to the conduct of Facebook USA as such, but rather to the fact that the Commission has determined that the law and practice on data protection in the United States ensure adequate protection.’[27]
The Safe Harbour Decision itself provides for broad exceptions for US organizations disclosing or transferring data to the US government: ‘Adherence to these Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case-law that create conflicting obligations or explicit authorisations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation; or (c) if the effect of the Directive [or] Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts.’[28] These rules for US government, including law enforcement and national security agencies, do not stipulate that any exceptions have to comply with proportionality requirements, or that there have to be safeguards, or effective recourse to redress for EU citizens or that any interference must be targeted. This makes it clear that there is a fundamental clash between the rights to data protection and privacy under the Charter and the ECHR on the one hand and US law on US government interference with the personal data of foreigners on the other hand.
As to (2) the Safe Harbour Decision itself states the circumstances in which a national data protection authority can take enforcement action to prevent transborder data transfers to the USA and these are limited. The Safe Harbour Decision provides in Article 3 that the national data protection authorities may take enforcement measures in two situations: (1) where the US government enforcement bodies (Federal Trade Commission, Department of Transport) or an independent dispute resolution body has determined that the US transferee (in this case Facebook Inc) is violating the Safe Harbour Principles or (2) where there is a substantial likelihood that the Principles are being violated; there is a reasonable basis for believing that the enforcement mechanism is not effective; the continuing transfer would create an imminent risk of grave harm to data subjects and the national data protection authority has given the transferee an opportunity to respond.[29]
Again the Irish High Court held that Article 3 applies only to infringements of the Principles by the US transferee who has signed up to the Principles and, since arguably Facebook Inc had no choice but to comply with US law, there is no such breach.
The Meaning of Adequacy in Article 25 of Directive 1995/46/EC and the Validity of the Safe Harbour Agreement ratified in Commission Decision 2000/520/EC
The CJEU pointed out that the Directive did not define the concept of an adequate level of protection but that Article 25(6) stated that the third country must ‘ensure’ an adequate level of ‘protection of the private lives and basic rights and freedoms of individuals’.[30] The Court held that, from this wording, it is clear that the level of protection must continue after the transfer of the personal data to the third country (implicitly: even after a further onward transfer).[31] The CJEU here follows the Opinion of Advocate General Bot who found ‘the objective of that article is thus to ensure the continuity of the protection afforded by that directive where personal data is transferred to a third country.’[32]
The Court held that ‘adequate’ should not be taken to mean ‘identical’ but that it should mean ‘equivalent’. Thus, the third country had to ensure ‘a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU by virtue of Directive 95/46/EC read in the light of the Charter’, even though that third country’s means of implementing these standards would be different. This was also necessary to block any deliberate circumvention of data protection requirements in the EU by EU operators (who could otherwise simply transfer their data processing abroad into countries without adequate protection).[33] The CJEU (following the Advocate General’s Opinion[34]) also held that, when examining the validity of the Decision, circumstances which had arisen after its adoption had to be taken into account and, given that a large number of people were affected by such transfers, the review had to be strict.[35]
The Court held that a system of self-certification by itself is not contrary to the requirements of Article 25(6), but that it had to be ensured that such a system was reliable and had to be founded on effective detection and supervision mechanisms.[36] The Court pointed out that, crucially, US public authorities were not bound by the Safe Harbour principles.[37] Furthermore the Court held that the Decision was too vague about the measures by which the US ensured an adequate level of protection.[38] Moreover the Court found that (vaguely defined) US national security, public interest or law enforcement requirements creating conflicting interests or providing explicit authorisations had priority over Safe Harbour requirements. In other words, self-certified organisations in the US had to ignore the principles when confronted with conflicting US law.[39] The Court held that this very general nature of the derogation led to the interference with the fundamental rights of Europeans (residents in the EU) whose data was transferred from the EU to the USA (regardless of whether the data was sensitive or not or whether the interference had led to any adverse consequences).[40] Such interference founded on US domestic law would not be subject to the proportionality principle. However, the Court has also made clear that it was not the interference itself which is the problem, as the EU would recognize national security interests, for example, as a legitimate ground. The problem was that there were no limitations to this interference with fundamental rights and that there were no safeguards, oversight mechanisms or avenues of legal redress for affected EU residents.[41] Here the Court pointed out that the dispute resolution mechanisms in the Decision only applied to the private, not the public sector.[42] It emphasized how important it was to guard against abuse and against unlawful access and use of that data[43] and therefore that any derogations from data protection had to be strictly necessary (proportionality test).[44] Since the Safe Harbour regime did not contain clear definitions of the circumstances under which an interference would take place, nor any limitations on when such interference could take place, nor did it apply a proportionality test, nor did it give any redress rights to EU residents whose data had been transferred, the Court held that there was a breach of Articles 7, 8 and 47 of the Charter and that therefore the Safe Harbour Decision was invalid.[45]
The Court specifically stated that the restrictions in Article 3(1) on the ability of the national data protection authorities to enforce data protection were also incompatible with the powers of these authorities established under Article 28(1) of the Directive.[46] The Commission therefore had exceeded its powers in agreeing to these restrictive provisions.[47]
Conclusion
The Safe Harbour Decision is clearly gone and dead, even before a new compromise has been negotiated. With the implementation of the Charter, data protection has been elevated as a fundamental human right which cannot be compromised by a pragmatic solution which does not give primacy to these rights. The stumbling block here is that private US companies transfer personal data to the US government, which in turn is not bound or fettered by the safe harbour regime. Thus, where there is an onward transfer, data protection is not continued. The judgment however indicates that it is not the transfers itself which are the problem. The EU data protection regime allows for a number of exceptions for recognised legitimate reasons such as national security or the prevention, investigation or prosecution of serious crimes. Such exceptions, however, must be necessary and are subjected to a proportionality test which requires adequate safeguards and avenues of redress for EU citizens. The judgment gives some pointers to what a potential Safe Harbour 2.0 Agreement would need to contain. First, for an agreement to be reached it would be necessary that the USA gives EU resident foreigners some form of constitutional rights over their personal data and provides for sufficient safeguards and redress.[48] The judgment may renew calls for tighter privacy laws in the US, but how likely these are to reach the statute book is another question. In the meantime, there is no legal framework for the transfer of personal data from the EU to the US other than customized and very expensive solutions such as Standard Contractual Clauses, Binding Corporate Rules and explicit consent by EU data subjects. Each of these customized solutions would have to be cleared with every data protection authority from each Member State where data is transferred. In fact one of the great advantages of Safe Harbour was precisely that it provided a ‘one-stop-shop’ for the whole of the EU. Paperwork for companies will increase. Interestingly the US Department of Commerce announced on the day of the judgment that it will continue to administer the Safe Harbour Programme from its end, including registration for self-certification, perhaps supportive of the negotiations of the last two years and optimistic that a successor agreement will be concluded.[49] Commissioner Jourova has outlined the progress made in the EU-US negotiations for Safe Harbour 2.0 in a speech on 26 October 2015 and stated that national data protection authority authorities would be given a greater role, but ensuring uniformity through the Article 29 Working Party and further that there would be an annual joint EU-US review of Safe Harbour.[50]
While the judgment, no doubt is a great victory for data protection and privacy advocates, how, then will it affect EU businesses? On the one hand the judgment leads to louder calls for EU data localisation which may mean more European data centres and, perhaps, more innovation in the EU cloud computing sector. On the other hand, small EU businesses may find it much harder to trade with US companies and in particular use cheap US cloud computing products.
The judgment also means, of course, that the data protection authorities in the Member States should take enforcement measures against non-compliant transfers of personal data. This may well mean that they are overwhelmed by enforcing against a tide of non-compliant transborder data transfers. Although this judgment is not directly about a state’s jurisdiction and sovereignty within its border, this is ultimately the issue causing the conflict between the EU and the US: in a world where data moves seamlessly between cloud computing servers across the Atlantic, nation states lose control over this data.
Julia Hörnle is Professor of Internet Law, Centre of Commercial Law Studies, Queen Mary University of London
[1] Commission Decision 2000/520/EC of 26. July 2000 pursuant to Directive 95/46/EC on the adequacy of the protection provided by the safe harbour principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L215, p.7)
[2] Para 105
[3] COM(2013) 847 final
[4] http://www.lawreform.ie/_fileupload/RevisedActs/WithAnnotations/EN_ACT_1988_0025.PDF
[5] See also s 11(2)(a) Data Protection Act 1988 (Ireland)
[6] Paras 40-43
[7] Treaty on the Functioning of the European Union (Consolidated Version) OJ C 326, 26.10.2012, p. 47–390, see also Recital 62 of the Directive; see also para 104 of the judgment where the Court said that the enforcement powers of the national data protection authorities cannot be fettered the way the Decision has done in Article 3 (1), discussed further below.
[8] Paras 51, 52
[9] Paras 52, 61
[10] Paras 53-57
[11] Para 46
[12] Para 47
[13] Para 50, also Advocate General’s Opinion, para 86
[14] Paras 51-52
[15] Paras 53-57
[16] Paras 64-65
[17] Para 61
[18] Paras 44-45
[19] Paras 90-91
[20] ‘Whereas data-processing systems are designed to serve man; whereas they must, whatever the
nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the
right to privacy, and contribute to economic and social progress, trade expansion and the well-being
of individuals’
[21] ‘Whereas the establishment and functioning of an internal market in which, in accordance with
Article 7a of the Treaty, the free movement of goods, persons, services and capital is ensured require
not only that personal data should be able to flow freely from one Member State to another, but also
that the fundamental rights of individuals should be safeguarded’
[22] ‘Whereas the object of the national laws on the processing of personal data is to protect
fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of
the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the
general principles of Community law; whereas, for that reason, the approximation of those laws must
not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a
high level of protection in the Community’
[23] ‘In accordance with this Directive, Member States shall protect the fundamental rights and freedoms
of natural persons, and in particular their right to privacy with respect to the processing of personal
data’
[24] Article 52(1)
[25] Referring also to Cases C-465/00, C-138/01 and C-139/01 Österreichischer Rundfunk and Others, para 68; C-131/12 Google Spain and Google, para 68 and C-212/13 Ryneš, para 29
[26] Para 59
[27] Para 45, Opinion of Advocate General Bot delivered on 23 September 2015 in Case C-362/14 Schrems v Data Protection Commissioner
[28] Annex I, Safe Harbour Privacy Principles drafted by the US Department of Commerce, Safe Harbour Decision 2000/520 see fn 2
[29] See fn 2; The CJEU held that Article 3 was incompatible with the protection of fundamental rights and declared it invalid
[30] Paras 70-71
[31] Para 72
[32] Para 139 of the Advocate General’s Opinion
[33] Paras 73-74, again concurring with the Advocate General, see his Opinion para 141 et seq
[34] Paras 134-135, Advocate General’s Opinion
[35] Paras 77-78
[36] Para 81
[37] Para 82
[38] Para 83
[39] Paras 84-87
[40] Para 87
[41] Paras 88-89
[42] Paras 89-92
[43] Para 91
[44] Para 92
[45] Paras 93-105
[46] Paras 99-104
[47] Para 104
[48] The US Judicial Redress Act H.R. 1428 could be the measure achieving this and this has been passed by the House of Representatives on 20. October 2015. If enacted, the Act would enable EU citizens to sue the US government to access, amend or correct records or to seek redress for unlawful disclosure under the US Privacy Act 1974.
[49] http://export.gov/safeharbor/
[50] http://europa.eu/rapid/press-release_SPEECH-15-5916_en.htm?locale=EN
