Background – the laws
The EU’s Data Protection Directive 95/46/EC establishes minimum data-privacy requirements that all EU Member States must implement in their respective legislative regimes. One such requirement is that personal data may not be transferred to a recipient outside the EU unless the recipient country can adequately safeguard the privacy of the relevant individuals. The supervisory authorities of the Member States are responsible for enforcing these laws in their respective countries.
To address this restriction, the US Department of Commerce developed a ‘safe harbour framework’ under which US organisations can voluntarily apply a higher degree of protection to personal information than what is required under US law. EU entities could take comfort in the knowledge that safe-harbour certified entities would ‘adequately safeguard’ their personal information in accordance with the requirements of the Data Protection Directive.
The ECJ ruling
In 2013, Austrian law student Maximilian Schrems lodged a complaint with Ireland’s Data Protection Commissioner in relation to Facebook Ireland’s practice of transferring its users’ personal data to Facebook Inc.’s US servers. Following Edward Snowden’s revelations regarding the US National Security Association’s PRISM surveillance programme, Schrems alleged that Facebook, and the laws and practices of the US Government more broadly, did not adequately safeguard his personal data to the standard required under the Data Protection Directive.
The Data Protection Commissioner originally dismissed the complaint on the basis that Facebook Inc. was certified under the safe harbour framework and the Commission had upheld safe harbour as a valid mechanism of transatlantic data transfer in 2010. However, the EU’s highest court, the ECJ, did not consider the Data Protection Commissioner bound by the Commission’s 2010 safe harbour decision. The ECJ went on to invalidate the Commission’s safe harbour decision, on the basis that:
- legislation (such as that in existence in the US) that permits public authorities a right of generalised access to electronic communications compromises the fundamental right of respect for privacy
- legislation (again, such as that in existence in the US) that does not provide any possibility for individuals to pursue legal remedies to access their personal data compromises the fundamental right of effective judicial protection
- the Commission did not have the ability to restrict the investigative powers of the supervisory authorities of Member States when a person calls into question whether a decision is compatible with the privacy protections offered under the Direction.
Impact of the ruling
The Commission publicly supported the ECJ decision and acknowledged its immediate effect. First Vice-President of the Commission Frans Timmermans acknowledged that, while the protection of EU citizens’ personal data remained the Commission’s top priority, it was also committed to the continuation of transatlantic dataflow, which underpins the backbone of the EU economy. Timmermans also acknowledged the importance of the uniform application of the law, announcing the Commission’s intention to provide guidance to the Member States’ supervisory authorities to promote predictability and consistency of enforcement.
The Article 29 Working Party, an advisory entity comprising representatives of the Member States’ supervisory bodies and representatives of the Commission, has met extensively in recent weeks to develop common guidance following the ECJ ruling. The Working Party has provided several key insights into the enforcement approach that can be expected from Member States.
One important announcement concerns the widely-utilised alternatives to the safe harbour framework: Model Contract Clauses and Binding Corporate Rules. The Commission has previously sanctioned these methods as being effective mechanisms under which entities can transfer personal data from the EU to the US; however, since the ECJ ruling, some commentators have cast doubt on whether they would stand up to judicial scrutiny, noting that the rationale underpinning the ECJ ruling may also be applied to these methods. In a 16 October 2015 statement, the Working Party advised that it was analysing the impact of the ruling on Model Contract Clauses and Binding Corporate Rules, but confirmed that companies may continue to employ these methods in the interim.
In a second crucial point, the Working Party highlighted that the US Government’s rights to massive and indiscriminate surveillance of personal data was the key element in the ECJ’s determination. This implies that, from the Working Party’s perspective, the issue is not wholly within the control of the relevant US recipient entity, but is an issue of the US Government more broadly. The Working Party urgently called upon Member States and European institutions to open discussions with US authorities to find political, legal and technical solutions to enable transatlantic data transfers that respect fundamental human rights. The Working Party did not specify that companies would be given a grace period within which to adapt their data transfer processes, but it did advise that failure to apply an appropriate solution by the end of January 2016 would result in supervisory bodies taking all necessary and appropriate actions, which may include a coordinated enforcement.
There has been much discussion surrounding the development of a replacement safe harbour or binding intergovernmental agreement to combat the ECJ ruling. Further, the Commission recently reaffirmed its commitment to finalising the European General Data Protection Regulation, which will replace the Data Protection Directive by the end of the calendar year. With so much legislative uncertainty, and in light of the ongoing analysis being undertaken by the Working Party, affected companies may be reluctant to implement the widespread changes required to incorporate one of the alternative data transfer mechanisms – but the reality is that is the only choice that companies have if they want to remain compliant.
It is clear that there is still considerable room for movement in terms of what constitutes best practice in this sector. Nevertheless, it is also clear that finding a viable long-term solution is likely to be difficult while the governments of the EU Member States and the US take such disparate stances on individuals’ rights to personal data privacy. Whether a viable solution will be found, only time will tell.