EU’s highest court struck a major blow to the EU-US safe harbour earlier today in the closely watched case, Schrems v. Data Protection Commissioner [2015] EUECJ C-362/14 (06 October 2015). The decision of the CJEU, which followed the earlier opinion of the Advocate General, is the worst privacy nightmare that could have been imagined by the thousands of US and EU based companies that rely on the safe harbour to transfer personal data to the US for processing. It affects giant social networks like Facebook, search engines like Google, cloud hosting providers, and thousands of other companies that do business in the EU and that transfer personal data to the US.
The CJEU made a number of important findings including:
- In practice, a significant number of companies that self-certified under the safe harbour did not comply, or did not comply fully, with the safe harbour principles.
- National data protection authorities have the right and obligation to investigate whether transfers of personal data from the EU to the US comply with their privacy laws, even if a safe harbour is in place.
- Only the CJEU has the jurisdiction to declare the safe harbour invalid.
- The protection under a safe harbour has to be adequate enough to ensure a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the EU Charter.
- A safe harbour that relies on self-certification, like the US safe harbour, must have an effective detection and supervision mechanisms enabling any infringements of the rules ensuring the protection of fundamental rights to be identified and punished in practice.
- The EU-US safe harbour was not adequate to guarantee the protection of personal data transferred to the US in light of the large scale surveillance activities of the US government.
The decision of the CJEU substantively undermined the usefulness of the safe harbour. By invalidating the decision of the European Commission that had found the safe harbour to be adequate, it opens the door to data protection authorities in member states to take steps to block data transfers to the US.
The decision will also potentially affect many Canadian multinational businesses with operations in the EU and the US where data is transferred from the EU and stored in the US. This is not uncommon, for example, where a Canadian business uses a US based service provider to support global operations. Canadian companies should now act quickly to examine the basis on which data from EU residents is transferred to the US. If the transferor relies on the safe harbour, other mechanisms such as the Model Clauses, Binding Corporate Rules, exemptions for transfers, and obtaining express consents may need to be used. In theory, on the basis of the Schrems case, even mechanisms such as the Model Clauses or Binding Corporate Rules could be examined by data protection authorities to assess their adequacy.
The reasons of the court also raise questions as to whether the transfers of data from the EU to Canada will also eventually be challenged.The EU Commission adopted a decision deeming PIPEDA to provide adequate protection permitting transfers of data from the EU to Canada. This decision could also be challenged on the basis of the reasoning in the Schrems case.. Further, national data protection authorities have the right to investigate whether Canada, in fact, provides an adequate level of protection for data transferred to Canada. It is possible that transfers to Canada could be blocked by any data protection authority in any EU member state. Transfers of personal data to Quebec is already potentially problematic based on an opinion from the EU Article 29 Data Protection Working Party released in 2014.
The US lost billions of dollars in business following the Snowden revelations about PRISM and other US surveillance operations. The fall-out from the decision released today is bound to surpass that.
There have been numerous blog posts and newspaper stories analyzing the decision. For example, see CJEU: Schrems v Data Protection Commissioner, Key Aspects of the Judgment, EU ruling means Facebook and Google can’t send data to the US, Landmark ECJ data protection ruling could impact Facebook and Google, With Safe Harbor gone, the hard work on data transfers starts now, Safe Harbor Invalidated – What’s Next on the Chopping Block?
1 comment
In a previous life, I had to store some material offshore, and so put basic contact information (name or alias, etc) in the data, along with a locally unique identifier, and stored any sensitive information offline in Canada with the identifier as the key that tied them together.
In a conventional business context, I suspect the latter might be the customer billing information, which is obviously identifying information. That might well be on a different and more secure machine in any case!