Consequences of the ECJ Safe Harbor ruling

What are the consequences of the ECJ Safe Harbor ruling for Danish undertakings and authorities? Attorney and Plesner Partner Michael Hopp presents the most important issues.

On 6 October 2015 the European Court of Justice made its ruling in a preliminary reference from the Irish High Court in a case between Max Schrems and the Irish Data Protection Commissioner.

  The ECJ found that:
  • the Data Protection Directive (95/46/EC) gives the national data protection agencies the competence to decide whether for example the Safe Harbor decision provides sufficient protection of personal data in the United States. However, the ECJ has exclusive jurisdiction to decide whether the Safe Harbor decision is invalid and the national data protection agencies' competence is therefore restricted to deal with the case until a national court's preliminary reference to the ECJ. 
  • the Safe Harbor decision does not provide an adequate level of protection of the processing of personal data in the United States and is therefore invalid.
Please find below a brief account of the contents of the ruling and Plesner's recommendations as to how a Danish exporter of personal data is to act now on the basis of the Safe Harbor agreement.

Background

Article 25 of the Data Protection Directive (section 27 of the Danish Act on the Processing of Personal Data) stipulates that in general the transfer of personal data to a third country may take place only if the third country ensures an adequate level of protection of the personal data. Article 25(6) of the Directive also stipulates that the European Commission may determine that a third country ensures an "adequate level of protection" by reason of its domestic law or its international commitments.
 
In July 2000 the European Commission made such decision (2000/520/EC) when it found that the United States was a safe third country in respect of a transfer to United States undertakings subject to the Safe Harbor scheme. The Safe Harbor scheme consists of a number of principles that United States undertakings must declare that they adhere to when processing personal data. However, the national security, public interest and law enforcement requirements of the United States prevail over the Safe Harbour scheme, meaning that the authorities may interfere with the fundamental rights to protect personal data about the individual whose personal data will be or may be transferred from the EU to the United States.

The issue of the national data protection agencies' competence

By its ruling, the ECJ interpreted the wording of Article 25 of the Directive compared to the requirement laid down in Article 8(3) of the Charter of Fundamental Rights of the European Union (about personal data protection being subject to independent supervision). Against such background the ECJ found that Article 28 of the Directive (which lays down the national data protection agencies' competence) gives the national data protection agencies the competence to process an individual's request for the protection of his or her rights and freedoms in connection with the processing of his or her personal data which have been transferred to a third country (for instance the United States).
 
However, the Court found that the national data protection agencies' competence is restricted to deal with the case until a national court's preliminary reference to the ECJ as the ECJ has exclusive jurisdiction to settle the issue of invalidity, for example of the Safe Harbor decision.

The validity of the Safe Harbor decision

Despite the fact that the Irish High Court did not ask this question, the ECJ went further and assessed whether the Safe Harbor decision was in compliance with the requirements laid down in the Directive compared to the Charter. Specifically, the Court assessed whether the protection obtained by the individuals in question when their data are processed in the United States under the Safe Harbor scheme provided an "adequate level of protection" compared to the protection provided in the EU under the Personal Data Directive and the Charter.
 
The Court found that the wording an "adequate level of protection" in Article 25 of the Directive entails that a level of protection must be provided that is "essentially equivalent" to the level guaranteed within the EU.
 
This is the most important issue to take away from the ruling: the benchmark to be applied when assessing the protection in a country outside the EU must "essentially be equivalent" to the protection guaranteed in the EU under the Data Protection Directive and Article 8(1) of the Charter. This is a very strong benchmark that on the one hand will provide strong protection but on the other hand will make great demands on the situation in the countries assessed by the European Commission.
 
The Court also found that the European Commission had not made a satisfactory assessment of the level of protection in the United States, but that it had only examined the Safe Harbor scheme that does not contain any rules on the authorities' access to the transferred personal data (and United States public authorities are not subject to it).
 
Overall, the ECJ found that the Safe Harbor decision is invalid.

The consequences of the judgement

One direct consequence of the judgement is that the Safe Harbor scheme cannot any longer be used as the basis for transfers of personal data to the United States. A new Safe Harbor scheme is currently being negotiated, but it is uncertain when the negotiations will be finalised, but the European Commission has announced that it will be in 2015. The uncertainty is caused, among other things, by the ruling making stricter demands on when a specific basis for transfer provides an "adequate level of protection". This is expected to be important to both a new Safe Harbor agreement but also for how the ECJ will look at other transfer bases in future, for example the overall approvals of countries outside the EU, including the Faroe Islands.

It must be emphasised, however, that the ruling only covers the Safe Harbor scheme and that all other transfer bases, including the application of the so-called model contracts mentioned below, are still fully valid.

Plesner's recommendations

Undertakings and authorities must ensure that they know the extent to which they or their sub-service providers, for example cloud service providers, apply Safe Harbor as the transfer basis.
 
Even now several national data protection agencies have indicated that they do not expect that the data controller's new transfer basis will be in place right now. The best advice is therefore to wait a week or so as the European data protection agencies will meet with the European Commission in Brussels on Thursday 8 October 2015 to discuss a coordinated application of the ruling. An announcement is expected in week 42.
 
The undertakings and authorities that are currently using the Safe Harbor scheme should, depending on the regulatory authorities' announcement, look for another transfer basis. Or, if practically and commercially possible, stop transferring data to the United States. In that connection it could be relevant to consult the individual Safe Harbor-certified recipients of data and hear which steps they have taken as a consequence of the ruling. Plesner knows that some big cloud service providers are already offering alternative transfer bases in the light of the ruling.
 
The obvious choice for an alternative transfer basis will be the European Commission's model contracts that are available in three versions. Two versions cover the transfer from a data controller to a data controller whereas the third version covers transfers from a data controller to a data processor.
 
The model contracts can be downloaded from the European Commission's website
 
The application of the model contracts is not to be reported to the Danish Data Protection Agency if no other changes have been made than the ones permitted in compliance with the contents of the model contracts.
 
Remember to read the model contract that you decide to use. It contains a number of obligations on both the data exporter and the data importer that must be observed. It is not enough to fill in the contract and sign it, the contract must also be observed.

Latest news on Technology & Outsourcing

Technology and Outsourcing