The European Court of Justice Declares the Commission’s US Safe Harbour Decision as Invalid

      Comments Off on The European Court of Justice Declares the Commission’s US Safe Harbour Decision as Invalid

court_2380868b

Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity
http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf

An imperative question that arises here, is the meaning of the ruling for US organizations? And how does this impact Indian organizations, especially the outsourcing Industry? Let’s attempt to understand the overall scenario  which begins from discussing the very root cause, it’s origin and then how has it escalated to European Court of Justice (ECJ) which forced it to come out with such ruling.

Rewind to the year 2011, when Maximilian Schrems of Austria submitted a complaint to Irish Data Protection Supervisory Authority (Data Protection Commissioner of Ireland) to stop the transfer of his Facebook data from Ireland to Facebook’s servers in the US. Further in 2013, Schrems argued that the Snowden revelations had proven that the privacy of his data was not sufficiently protected against government surveillance programs in US. In response, the authority rejected the complaint. . To support its decision, the authority referred to the Commission decision 2000/520/EC of 26th July 2000 wherein, Data adequacy requirements and EU-US Safe Harbor Principles have been formulated and enacted. The authority said that as per EU-US Safe Harbor, any US organization can have data transfer of EU citizens between EU and US geographies without any further contract or agreement other than complying with Safe Harbor principles.

The case was then brought to the High Court of Ireland which further directed it to the ECJ for clarification on whether the decision (reference made in decision) of Irish authority means that the authority could not review a complaint regarding the lack of sufficient data protection in a third country and could not (if needed) suspend the transfer of data to this third country. ECJ, then reviewed the case and came up with following two rulings on 6th October 2015:

  1. According to the Charter of Fundamental Rights of the European Union and the directive, the authority (i.e., Irish DPA in this case) has complete right to review the complaint which contends that the level of data protection in a non-EU country is not sufficient. This implies that it is the duty of the authority to assess the complaint by an individual concerned of its data being not protected. Further, it says that there is no provision of the directive (EU DPD) which prevents the authority to assess the organizational or national practices of data protection, even if the commission had made any decision or agreement (Safe Harbor in this case). This decision was made on the basis of 1995 EU DPD and defined that it doesn’t matter that there is a Commission decision stating the country’s protection is sufficient, the authority would have to assess the lodged complaint separately.
  2. The Court said that the Safe Harbor principles leave explicit room for access to personal data by the US authorities because under US law, companies are obliged to give the authorities access to data in case of national security concerns (and for some other reasons such as law enforcement). These concerns are more important than data privacy under US laws and US companies cannot reject such requests for data by the US government. The Court said that the Commission itself had already confirmed that the access to data by US authorities went far beyond what was required for national security purposes and that there were no US rules in place that limit this access. The Commission had also confirmed that there were possibilities for citizens to protect themselves (by for an example, a legal appeal) against the access to their private data by the US. The Court said that a decision that allows authorities of a third country to access data in a broad, general and unrestrained way was in violation of the fundamental right of respect of one’s private life as well as the right to a fair trial (as no appeal was possible under the Commission decision). It declared the Commission decision invalid – which means it has also declared the Safe Harbor principles invalid. It also ruled that the Commission did not have the authority to limit the powers of national data protection authorities.

These violations forced the court to order the Irish Data Protection Authority to review Schrems’ complaint and to determine whether or not the transfer of data of European Facebook members to the US should be suspended because this country doesn’t offer sufficient protection of private data. Besides, there are many issues and queries which this ruling brings with it. Answers to most of these queries are unknown and interesting-to-know whenever further news and clarifications of the same come up. Few analytical pointers which can be drawn out are:

  • Till date, there is no transitional clause by ECJ which will, at least, provide some limited time period or should say buffer time to organizations to continue data transfer until new data protection scheme is placed by commission or authorities
  • Will there be a new Safe Harbor with detailed clauses and sufficient data protection; would the organizations have to use model contractual clauses, etc.; would US try or EU force it to earn adequacy level geography tag?
  • In case of no such action, any kind of data transfer of EU citizens from EU to US would be considered illegal. This will imply that companies will have to request permission from their national authorities to send personal data to the US (which goes via lengthy and burdensome proceedings such as SCC and BCR,.), or use mechanisms other than Safe Harbor
  • This case may trigger many other similar complaints against other US companies. And this can in turn provide a boon to EU data storage centres.
  • Under the new GDPR there is a possibility for sectoral adequacy. The European Parliament is opposed to this in ongoing discussions, and will be more so after this ruling, but the European Data Protection Supervisor Giovanni Buttarelli has been already alluding to sectoral adequacy possibilities under the new regime. This may end up in sectoral adequacy for US under new Safe Harbor.

All these future perspectives are unknown and will instead be very interesting to understand where this may head. But, for India (and the services Industry in India) it is going to get tougher, as this ruling will come out with a more stringent standard, which each country would have to abide to, for data transfers with EU countries. We would have to continue our efforts, more rigorously now, to have some kind of agreement, clause or policy to reduce or address, such stringency for the services provider Industry in India and find a way out for easy data transfers between EU and India.