The end of Safe Harbor: transferring personal data to the US
The Court of Justice of the European Union has today issued a widely anticipated ruling on the validity of ‘Safe Harbor’.
Under data protection law, organisations must not transfer personal data outside the European Economic Area unless the receiving country “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data” (the eighth data protection principle). There are various methods of complying with this requirement, one of which is relying on a decision made by the European Commission that a particular country provides adequate protection. In 2000, the Commission made a decision that the Safe Harbor regime, a self-certification scheme for companies based in the US processing personal data transferred from Europe, provides an adequate level of protection for EU citizens (Decision 2000/520/EC).
The case arose from a complaint by Mr Schrems, an Austrian Facebook user, to the Irish Data Protection Commissioner. Mr Schrems alleged that the transfer of his personal data from Facebook Ireland to Facebook’s US parent, made under Safe Harbor, breached his data protection rights. The Irish DP Commissioner refused to investigate, on the grounds that under Irish law he was bound to follow the European Commission’s previous adequacy decision. Mr Schrems applied for judicial review and the Irish High Court made a reference to the CJEU, asking whether the Irish DP Commissioner was bound to follow the Commission’s decision or whether he could investigate the complaint.
The CJEU’s judgment covers two issues:
- Can a national data protection authority investigate a complaint relating to a transfer of data to a third party where the Commission has made a decision of adequacy?
The CJEU ruled that the presence of an adequacy decision by the Commission does not prevent national data protection authorities from investigating complaints about the transfer of personal data to countries outside of the EEA. However, only the CJEU can declare a Commission decision invalid. This means that a national data protection authority (the ICO in the UK) must consider complaints relating to data transfers, but cannot overrule the Commission without recourse to the national courts and a referral to the CJEU. The ICO is considering the implications of this aspect of the judgment.
- Is Commission Decision 2000/520/EC valid?
The CJEU ruled that the Commission’s decision relating to Safe Harbor is invalid, because it does not meet the requirements for an adequacy decision. In particular, the self-certification method, the ability of the US authorities to override the protections afforded by Safe Harbor and the lack of judicial remedies available to data subjects meant that the decision was flawed. The CJEU reached this decision without reviewing in detail the Safe Harbor principles.
The key implication of the CJEU’s decision is that it is no longer safe to rely solely on Safe Harbor to legitimise transfers of personal data to the US. This does not prevent any transfers of personal data to the US, but it does mean other methods should be considered to ensure compliance. For example, data controllers that have relied on Safe Harbor-certified processors in the US might wish to put in place model contract clauses instead (or use processors based in the EEA). Intra-group transfers from the EU to the US may be legitimised by the use of binding corporate rules. Alternatively, controllers may transfer personal data outside the EEA (including to the US) with the consent of the data subject.
Whilst discussions between the EU and the US continue with a view to negotiating a revised Safe Harbor scheme, and the ICO has acknowledged that it may take some time for businesses to adjust to life after Safe Harbor, data controllers should act quickly to ensure that they comply with data protection legislation.