ECJ rules that the EU-US safe harbor arrangement is invalid

Practical Law UK Legal Update 5-619-2986 (Approx. 12 pages)

ECJ rules that the EU-US safe harbor arrangement is invalid

by Practical Law Data Protection

Background

EU data protection regime

The Charter of Fundamental Rights of the EU (Charter) protects the right to respect for private life (Article 7), the right to protection of personal data (Article 8) and the right to an effective remedy and fair trial (Article 47).

Transfers of personal data from the EU to territories outside the EEA are only permitted if adequate protection is ensured for that data in the territory to which it is transferred, according to Article 25(1) of the EU Data Protection Directive (95/46/EC) (Data Protection Directive). An adequate level of protection is one that is adequate in all the circumstances of the case, having regard to the factors listed in Article 25(2) of the Data Protection Directive.

Article 25(6) of the Data Protection Directive provides that the Commission may find that a third country ensures an adequate level of data protection through its domestic law or international commitments it has entered into.

Article 28(1) of the Data Protection Directive requires member states to set up one or more public authorities responsible for monitoring, with complete independence, compliance with the EU data protection regime. The national supervisory authorities have a wide range of powers for that purpose, including in particular, investigative powers (like the power to collect all the information for the performance of their supervisory duties) and effective powers of intervention (like the power to impose a temporary or definitive ban on certain data processing operations, and the power to engage in legal proceedings).

Safe Harbor framework

Article 1 of Commission Decision 2000/520/EC (Decision 2000/520) provides that adequate protection is provided by US undertakings which self-certify their adherence to the Safe Harbor principles (see Practice note, Cross-border transfers of personal data, in particular, Community findings of adequacy).

The Safe Harbor principles contain an exception where US statute, regulation or case-law create "conflicting obligations or explicit authorisations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the principles is limited to the extent necessary to meet the overriding legitimate interests further[ed] by such authorisation".

Article 3(1) of Decision 2000/520 restricts and imposes additional conditions on member states' national supervisory authorities when they exercise their powers to suspend data flows to US companies that self-certify their under the Safe Harbor framework.

Snowden revelations

Following Edward Snowden's revelations in 2013 about US National Security Agency (NSA) surveillance of data held by Safe Harbor participants, Safe Harbor's credibility was significantly undermined (see Legal updates, European Commission calls for more robust safe harbor framework and Will the US-EU Safe Harbor Run Aground?). Despite the commencement of EU-US negotiations to address the situation, the Commission did not formally retract its finding that the Safe Harbor regime provides adequate protection.

Facts

All Facebook subscribers living in the EU are required to conclude, at the time of registration, a contract with Facebook Ireland, a subsidiary of Facebook Inc. established in the US. Some or all of their personal data is transferred from Facebook Ireland to servers in the US, where it is processed. Maximillian Schrems is an Austrian Facebook subscriber living in Austria. In June 2013, he made a complaint to the Irish Data Protection Commissioner (DPC) by which he asked the DPC to exercise its powers to prevent Facebook Ireland from transferring his personal data to the US on the basis that US law and practice did not ensure adequate protection of the personal data held in its territory against the mass surveillance of data carried out there by the public authorities (for example, under the NSA's PRISM programme).

The DPC took the view that it was not required to investigate the matters raised in the complaint and rejected it as unfounded. In particular, the DPC argued that he was bound by the European Commission's findings in Decision 2000/520 that Safe Harbor ensured adequate protection.

Mr Schrems brought an action before the High Court challenging the decision. The Irish High Court found that although the electronic surveillance and interception of personal data transferred from the EU to the US serve necessary and indispensable objectives in the public interest, the revelations made by Edwards Snowden had demonstrated a "significant over-reach" on the part of the NSA and other federal agencies. In addition, the court found that EU citizens have no effective right to be heard as part of US oversight proceedings. As a result, the court considered that Decision 2000/520 does not satisfy the requirements flowing both from Articles 7 and 8 of the Charter and from the principles set out by the ECJ's judgment in Digital Rights Ireland and Others (C-293-/12 and C-594-12).

The High Court referred the following questions to the ECJ for a preliminary ruling:

1. Whether, in determining a complaint that a third country's laws and practices do not contain adequate protection for data being transferred to it, a national supervisory authority (such as the DPC) is bound by Decision 2000/520, having regard to Articles 7, 8 and 47 of the Charter and to Article 25(6) of the Data Protection Directive.

2. Or, alternatively, may and/or must the DPC conduct its own investigation of the matter in light of factual developments since Decision 2000/520 was made (such as the Snowden revelations).

In September 2015, the EU Advocate General gave an opinion on the referred questions. For details, see Legal update, Advocate General opinion on EU-US Facebook data transfer suggests Safe Harbor decision invalid.

Decision

The ECJ has given a judgment in which it agrees with the Advocate General's opinion. Its answers to the referred questions can be paraphrased as follows:

Article 25(6) of the Data Protection Directive, read in the light of Articles 7, 8 and 47 of the Charter, must be interpreted as meaning that a decision adopted pursuant to that provision, like Commission Decision 2000/520/EC, does not prevent a supervisory authority of a member state, within the meaning of Article 28 of the Directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him, which has been transferred from a member state to that third country, when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
Decision 2000/520 is invalid.

The ECJ's reasoning can be summarised as follows.

Powers of the national data protection authorities

The court highlighted that the independence of the national supervisory authority is intended to ensure the effectiveness and reliability of the monitoring of compliance with the EU data protection regime and that the establishment of those authorities in the member states is therefore an essential component of the protection of individuals with regard to personal data. Although the authorities' powers concern data processing activities carried out on the territory of their own member state, the operation of transferring data from that member state to a third country constitutes in itself data processing within the scope of the Data Protection Directive. Each of the national authorities is therefore generally vested with the power to check whether a transfer of personal data from its own member state to a third country complies with the requirements laid down by the Directive.

However, the ECJ also confirmed that it alone has jurisdiction to declare that an EU act like a Commission decision is invalid. The exclusivity of that jurisdiction has the purpose of guaranteeing legal certainty by ensuring that EU law is applied uniformly. Therefore, until such time as the court declares a Commission decision invalid, the member states and their organs (including the national supervisory authorities) cannot adopt measures contrary to the decision. While the national courts are admittedly entitled to consider the validity of an EU act, they are not themselves endowed with the power to declare such an act invalid or to determine with binding effect that a third country covered by a Commission decision under Article 25(6) does not ensure an adequate level of protection.

In a situation where the national supervisory authority is faced with such a claim, it is therefore important that procedural rules exist that allow for the question of incompatibility of an EU act with Charter rights to be considered by the ECJ. In this context the Court held as follows:

If the national supervisory authority concludes that the arguments put forward in support of such a claim are unfounded and therefore rejects it, the person who lodged the claim must have access to judicial remedies enabling him to challenge such a decision adversely affecting him before the national courts. Those courts must stay proceedings and make a reference to the ECJ for a preliminary ruling on validity if they consider that one or more grounds for invalidity put forward by the parties or, as the case may be, raised by them of their own motion are well founded.
In the converse situation, where the national supervisory authority considers that the objections advanced by the claimant are well founded, that authority must be able to engage in legal proceedings for a judicial review of the validity of the EU act. The ECJ held that it is therefore incumbent on the member states to provide for legal remedies that enable the national supervisory authority to bring such a claim for judicial review before the national courts in order for them, if they share the authority's concerns, to make a reference to the ECJ for a preliminary ruling on the EU act's validity.

Validity of Decision 2000/520

The ECJ acknowledged that it is apparent from the referring court's explanations relating to the questions submitted that Mr Schrems contends in the main proceedings that US law and practice do not ensure an adequate level of protection within the meaning of Article 25 of the Data Protection Directive and that Decision 2000/520 should therefore be declared invalid.

Requirements of the Data Protection Directive

The ECJ highlights that in order to ascertain under Article 25(6) of the Directive whether a third country provides an adequate level of protection of personal data the Commission must consider all the circumstances surrounding a data transfer operation on the basis of the non-exhaustive list of criteria set out in Article 25(2). In particular, the Commission must establish whether the third country ensures an adequate level of protection by reason of its domestic law or its international commitments.

The ECJ held that in this context the word "adequate", while not signifying that a third country must ensure a level of protection identical to that in the EU, must be understood as requiring a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU.

The Court also confirmed that adequate protection must be ensured by the third country's legal order. Accordingly, when examining the level of protection afforded by a third country, the Commission must assess the content of the applicable rules in that country resulting from its domestic laws, its international commitments and the practice designed to ensure compliance with those rules. The Commission must also check periodically, after it has adopted a decision under Article 25(6) of the Directive, whether the adequacy finding in question is still factually and legally justified.

The Court made it clear that in view of the important role played by the protection of personal data in the light of the fundamental rights set out in Articles 7 and 8 of the Charter, and the large number of persons whose rights are liable to be infringed by a data transfer to a jurisdiction that does not provide adequate protection, the Commission's discretion as to the adequacy level ensured by the third country is necessarily reduced. A review of the requirements stemming from Article 25 of the Directive should therefore be strict.

Article 1 of Decision 2000/520

The ECJ considered in detail the Commission's view, expressed in Decision 2000/520, that the Safe Harbor principles ensure an adequate level of protection for data transfers from the EU to US companies that have signed up to the Safe Harbor framework. In particular, the Court reviewed whether the system of self-certification by US organisation was sufficient to comply with the requirements or Article 25(6) of the Directive. It opined that the reliability of such a system is founded essentially on the establishment of effective detection and supervision mechanisms enabling any infringements of the rules to be identified and punished in practice.

The Court found that in the present case the following issues arise:

The Safe Harbor principles are applicable solely to self-certified US organisations receiving personal data from the EU, whereas US public authorities are not required to comply with them.
Decision 2000/520 does not contain sufficient findings regarding the measures by which the US ensures an adequate level of protection by reason of its domestic law and international commitments.
The applicability of the Safe Harbor principles may be limited "to the extent necessary to meet national security, public interest, or law enforcement requirements". Where US law imposes a conflicting obligation, US organisations, whether subject to the Safe Harbor principles or not, must comply with US law. This means that in essence (US) national security, public interest, or law enforcement requirements have primacy over the Safe Harbor principles. In practice, Decision 2000/520 therefore enables interference by US public authorities with fundamental rights of the persons whose data is transferred to the US under the Safe Harbor framework.
Decision 2000/520 does not contain any finding regarding the existence of rules adopted by the US intended to limit any interference with the fundamental rights of those persons, nor does it refer to the existence of effective legal protection against interference of that kind. Like the Advocate General, the ECJ observes that the procedures before the Federal Trade Commission and the private dispute resolution mechanisms affected persons can employ under the Safe Harbor arrangement solely concern compliance by the self-certified organisations. They cannot be applied in disputes relating to the legality of interference by US public authorities and security and law enforcement agencies with fundamental rights.

The ECJ highlights that in its Communication (COM(2013)846 final) on "Rebuilding Trust in EU-US data flows" (see Legal updates, European Commission calls for more robust safe harbor framework) the Commission found that the US authorities were able to access the personal data transferred from the member states to the US and process it in a way incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. The Commission also noted that EU data subjects had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed, rectified or erased.

The ECJ points out that EU legislation involving interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter must lay down clear and precise rules governing the scope and application of a measure and imposing minimum safeguards, so that data subjects have sufficient guarantees enabling their data to be effectively protected against the risk of abuse and against any unlawful access and use of the data.

Derogations and limitations in relation to the right to the protection of personal data apply only insofar as is strictly necessary. As the ECJ already emphasised in its decision in Digital Rights Ireland and Others (Joined cases C-293/12 and C-594-12), legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the EU to the US "without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail". In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for privacy, as guaranteed by Article 7 of the Charter.

Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in this regard does not respect the essence of the fundamental right to effective judicial redress set out in Article 47 of the Charter.

The ECJ held that as the Commission made no finding in Decision 2000/520 whether the US legislation complies with those requirements, Article 1 of the Decision fails to comply with the requirements set out in Article 25(6) of the Directive, read in the light of the Charter, and it is accordingly invalid.

Article 3 of Decision 2000/520

The ECJ reiterated that under Article 28 of the Directive national supervisory authorities must be able to examine, with complete independence any claim concerning the protection of a person's right to the protection of their personal data. This is particularly the case where, in bringing such a claim, that person raises questions regarding the compatibility of a Commission decision adopted pursuant to Article 25(6) of that Directive.

The Court held that those powers cannot be reduced or eliminated by a Commission decision like Decision 2000/520 as neither Article 8(3) of the Charter nor Article 28 of the Directive excludes from the national supervisory authorities' sphere of competence the oversight of transfers of personal data to third countries that have been the subject of a decision made under Article 25(6) of the Directive. It would therefore be contrary to the system set up by the Directive for the Commission to adopt a decision that has the effect of preventing a national supervisory authority from examining a person's claim that a transfer to a third party covered by that decision violates his rights and freedoms.

The Court found that Article 3 of Decision 2000/520, which lays down restrictions on the national supervisory authorities' powers to review data flows to the US made under the Safe Harbor framework, must be understood as denying the national supervisory authorities the power, which they derive from Article 28 of the Directive.

The Court therefore held that Article 3 of Decision 2000/520 is invalid.

As Article 1 and 3 of the Decision are inseparable from its Article 2 and 4 and the annexes to it, their invalidity affects the validity of the Decision in its entirety.

Reactions to the judgment

The ECJ's judgement has resulted in immediate reaction by both the European Commission and the Article 29 Working Party.

During a press conference on 6 October, First Vice-President Timmermans described the judgement as "a confirmation of the European Commission's approach for the renegotiation of the Safe Harbor". He stressed that in the meantime, transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under EU data protection law. Similarly, Commissioner Jourová emphasised the importance of the judgment for European businesses. She outlined that the Commissions priorities will be to:

Guarantee that EU citizens' data are protected by sufficient safeguards when they are transferred.
Continue to enable transatlantic data flows, as they are the backbone of the EU economy.
Work together with the national data protection authorities to ensure a coordinated response on alternative ways to transfer data.

In a press release issued by the Article 29 Working Party, it welcomes the fact that the Court’s decision reaffirms that data protection rights are an inherent part of the EU fundamental rights regime. The Working Party points out that it has been studying the impact of mass surveillance on international transfers and has on several occasions presented its concerns. The Working Party is aware that the judgment, taken in the context of the negotiation on the draft Data Protection Regulation and the discussions on the Safe Harbor between the European Commission and the US authorities, has major consequences for all stakeholders. It therefore plans to organise a first round of discussions between experts in order to provide a coordinated analysis of the Court’s decision and to determine the consequences on transfers.

Comment

Even ignoring the commercial and political impact the ECJ's decision will have on data flows between the EU and the US and, consequently, on the relationship between the two, the judgment is interesting for a number of reasons.

For a start, it is increasingly clear that the Court has now fully accepted its own role as the guardian of the EU fundamental rights framework set out in the Charter and the Treaties. The declaration that it alone is the ultimate arbiter of whether EU acts, both legislative and executive, comply with Charter rights essentially confirms its relatively recent role as a true EU "constitutional court" that will act alongside the European Court of Human Rights (ECHR) and the national constitutional courts to ensure fundamental rights protection in Europe. This will be welcomed by some countries, which have long harboured concerns that the standard of judicial redress with regard to fundamental rights protection at EU level falls below that provided at national or ECHR level. Other countries like the UK, where powers of the courts to invalidate legislation are often viewed with suspicion, are more likely to receive this development with concern.

Procedurally, the judgment has the potential to cause an administrative headache for those member states, again like the UK, where opportunities for judicial review of legislative acts are strictly limited. The ECJ's requirement that national supervisory authorities must have the right (and may indeed have the duty) to apply, before the national courts, for judicial review of an EU act (if the authority, along with a complainant, considers that act to be incompatible with Charter rights) is not reflected as such in the Data Protection Act 1998. Standing to request judicial review is strictly limited in some countries including the UK and it will take some time until the member states' legislators as well as the supervisory authorities will have achieved clarity on the exact changes that will need to be made to both national law and practice to comply with the ECJ's dictum. This will inevitably contribute and potentially extend the legal uncertainty regarding transatlantic data flows created by the judgment.

On a practical level, the judgment leaves both EU data controllers and US recipients of data flows that have relied on the Safe Harbor to legitimise their data transfers in an immediately precarious situation, meaning that the Commission's initial reaction that controllers can just switch to other justifications seems maybe somewhat optimistic. Although there is generally no impediment that would keep the Commission from reissuing Decision 2000/520, provided that the requirement to review whether the US legislation complies with the requirements set out in Article 25 (2) and (6) is met, this process is likely to take time and may only be completed with full cooperation by the US authorities. Even then, it may be difficult to establish that the US does in fact provide an adequate level of protection, which is one of the reasons why the Safe Harbor was adopted in the first place.

Without Decision 2000/520, businesses will have to rely on other derogations and exemptions from the general prohibitions on data transfers to third countries that do not provide adequate protection. In the short term, it is likely that both the use of standard contractual clauses and Binding Corporate Rules (BCRs) (see Practice note, Cross-border transfers of personal data) will increase. However, both of those methods are now equally vulnerable to judicial review and a potential declaration of invalidity at least to the extent that they are used to authorise transfers of personal data to the US. This applies, in particular, to the standard contractual clauses, that were also adopted by the Commission on the basis of a provision set out in the Data Protection Directive (Article 26(4)). While the current judgment is unlikely to have direct effect in this regard, it is entirely possible that the ECJ, following a similar challenge, will come to a similar conclusion. Both BCRs and standard contractual clauses are designed to enable the transferring EU data controller to prove that the personal data transferred under them will come to no harm in the receiving country. However, for as long as US recipients of those data are under a legal obligation to allow US public authorities wide-ranging access to those data in a way and to an extent that is unacceptable under the EU's fundamental rights framework, that proof will be difficult to deliver.

Finally, EU data controllers may consider relying on one of the other derogations set out in Article 26(1) of the Directive. Among other things, those derogations justify transfers that are made with the data subject's consent or that are necessary, say, for the performance of a contract or on important public interest grounds. However, there are limitations to the usefulness of most of those derogations. Data protection authorities have long cautioned against relying exclusively on the data subject's consent given that it can be withdrawn at any time. Even in cases where the data controller makes the provision of its services conditional on receiving such consents, there is now at least a question mark over whether a contractual requirement for the data subject to consent to a transfer of his data to a potentially unsafe jurisdiction can be considered fair under the circumstances. Some member states' courts (like Germany) have already started to review privacy policies under their national consumer protection regimes and it is probably unlikely that those courts will approve contractual consents of that nature.

The other derogations largely rely on a requirement of "necessity", which - on the basis of settled case law of both the national courts and the ECJ - will often be difficult to construe. In the medium term it may therefore be incumbent upon the European Commission to take political steps to persuade the US to review its own legal framework both with regard to substantive protections afforded to EU citizens' personal data and their rights to judicial redress. Previous endeavours in this regard have mostly been unsuccessful. However, it remains to be seen whether - faced with the potential inability of US companies to provide services involving the transfer of personal data to the US to the lucrative EU market - there will be a change in attitude and approach. The recent promise in the context of the negotiation of the EU-US data protection "umbrella agreement" to improve EU citizens access to the US courts (see Legal update, European Commission announces that negotiations of data protection umbrella agreement have been finalised) is certainly a step in the right direction. However, in the light of this judgment it is now unclear whether or not that initiative, which in any case seems to be stuck in the US legislative process for the time being, will be sufficient to fulfil the requirements as defined by the ECJ. Similarly, other legal developments in the US, like Microsoft's appeal against a decision by a New York district court that US law enforcement agencies should have access to personal data Microsoft stores on its servers in Ireland, will undoubtedly also have to be taken into consideration by the Commission were it to review the US domestic legal framework and international obligations for the purpose of a revised adequacy decision.

For EU data controllers this leaves a period of legal uncertainty that may only be resolved through the adoption of the new Data Protection Regulation. However, it remains to be seen whether the judgment may now even derail the timetable for that legislative project.

Case

Maximillian Schrems v Data Protection Commissioner, Case C‑362/14, 6 October 2015 (Curia).

ECJ rules that the EU-US safe harbor arrangement is invalid | Practical Law