The judgment
was not altogether unexpected given the earlier Opinion of the
Advocate General on 23 September 2015 but has still sent shockwaves through
many industry sector bodies and organisations who already carry out international
data transfers to the USA themselves or by using third party service providers to
do so on their behalf.
Safe Harbor no longer Safe
The CJEU found in its judgment that:
i. The US Safe Harbor Scheme is Invalid
The CJEU made it clear that it alone has the power
to examine the validity of a European Commission finding of adequacy in
relation to “safe” or “permitted” international data transfers and in this case
has decided that Decision 2000/520/EC on the adequacy of the protection
afforded by the US Safe Harbor scheme (“EC
Safe Harbour Decision”) is invalid.
This means that the Safe Harbor scheme used by more
than 5,000 US companies can no longer be relied on as a lawful compliance
mechanism permitting personal data about European data subjects to be transferred
to the USA.
For those not familiar with the background to this case,
in brief terms:
- The US Safe Harbor scheme was challenged by a Facebook user, Maximilian Schrems, following the Edward Snowden revelations about interception of communications by US intelligence agencies.
- It was alleged that the NSA had accessed data about Europeans and other foreign citizens stored by the US tech giants via a surveillance scheme called Prism.
- Schrems argued that US law and practice didn’t therefore offer sufficient protection against surveillance by public authorities of personal data transferred to the US and asked the Irish Data Protection Commissioner to investigate what information Facebook might be disclosing.
- The Irish Data Protection Commissioner rejected Schrems’ complaint and request on the basis of the EC Safe Harbour Decision.
- Schrems contested the decision and the matter was referred to the CJEU.
This CJEU judgment seems to have been made on the
basis that:
(a) The Safe Harbor scheme only applies
to U.S. undertakings which are Safe Harbor registered, not to U.S. public
authorities.
(b) US national security, public
interest and law enforcement requirements take precedence over the Safe Harbor scheme
and when a conflict arises U.S. undertakings must disapply the Safe Harbor
rules. US Public law enforcement authorities which obtain
personal data from organisations in the Safe Harbor scheme are not obliged to
follow the Safe Harbor rules after disclosure
(c) US law also allows storage on a
general basis of all personal data relating to individuals whose data is
transferred from the EU to the US irrespective of the reasons why and without
any consideration as to when this data can be accessed and used by US public authorities.
(d) The Safe Harbor rules don’t
provide adequate rights for individuals to access their data or to require it
to be rectified or erased where appropriate.
"I very
much welcome the judgement of the court, which will hopefully be a milestone
when it comes to online privacy," said Max Schrems on learning of the
judgment. "It
clarifies that mass surveillance violates our fundamental rights."
(ii) National DPAs must make their own finding of Adequacy
National
data protection authorities have the power to examine whether international
data transfers comply with the EU Data Protection Directive (95/46/EC) (“EU Directive”) and to suspend them if
they are not in compliance. This power
exists even where the European Commission have made a previous finding of
adequacy provided by a non-EU country (i.e. in relation to the Safe Harbor Scheme)
as DPAs have independent powers granted under the EU Directive.
National DPAs may therefore decide to prohibit or suspend international data transfers made under the US Safe Harbor Scheme if their investigation into the transfer finds that the transfer does not provide adequate protection.
National DPAs may therefore decide to prohibit or suspend international data transfers made under the US Safe Harbor Scheme if their investigation into the transfer finds that the transfer does not provide adequate protection.
So what happens next for Facebook?
In relation to the Facebook case, the Irish Data
Protection Authority must now carry out a thorough investigation, exercising
all due diligence, to decide whether the transfer of data to the US in relation
to European users of Facebook should be prohibited on the basis that the Safe
Harbor scheme no longer creates a permitted compliance mechanism.
And what about the rest of us?
While this case may seem, on the face of it, to be about taking
on the mighty Facebook, in reality it is about all transfers of personal data to the US by all organisations. \These may include:
- Data transfers to head offices in the US or transfers sent to the US for particular service provision - either directly by organisations or via their sub-contractors;
- transfers for data back-ups, CRM, accounting, payroll and personnel record hosting or services, data analytics, IT services, surveys carried out etc.
The case therefore has wide-reaching implications for
all organisations who transfer information from Europe to the USA. As a result, many industry
sector bodies and organisations have been left reeling from the news of this
case - each scrabbling to consider the full implications of the CJEU decision
for them.
In essence, the many thousands of organisations carrying
out international data transfers to the USA themselves (or using third party service
providers (data processors) to do so on their behalf):
- Should no longer transfer personal data to US organisations solely on the basis that they are Safe Harbour registered;
- Are likely to face a huge additional compliance burden, potentially having to liaise with numerous European data protection authorities rather than relying on the Safe Harbour scheme; and
- Will undoubtedly have to carry out more costly privacy impact assessments and put more legal paperwork in place to justify their US data transfers.
The EU Article 29 Working Party,
the UK Information Commissioner’s
Office and the Spanish DPA have
already published statements (see links provided) on the judgment. In basic terms these statements say they will
consult with other EU data protection authorities to issue guidance for organisations
on what to do next. The European
Commission has also said that it will issue "clear guidance" in the
coming weeks to prevent member states' data authorities issuing conflicting rulings.
Organisations will be keen to see this regulatory
guidance published sooner rather than later as following the decision they may
no longer have a compliant mechanism permitting data transfers to the USA. While
there are potentially other legal pathways allowing compliant data transfers
to take place, many will require further work, analysis, justification and
paperwork before they can be relied on.
This will take organisations time to properly consider. And yet the CJEU decision creates no time…
there is no transition period to allow a new mechanism to be found, with the result that many
organisations have become technically in breach of the legislation overnight.
Many of us practitioners hope that the EU and US
will agree a new compliant transfer agreement or system - but unfortunately this
may be slow in coming as we understand that there have been ongoing
negotiations for several years - trying but failing to agree on a better solution.
Watch this space!
If you
require any further information or advice on how to stay compliant when
transferring data to the US, on implementing the European standard contractual
clauses to ensure compliance, or indeed with any other data protection or
privacy matter then please do not hesitate to contact Pritchetts.
No comments:
Post a Comment