More than two years after the Edward Snowden leaks, the effects still linger. Most recently, those effects were felt on October 6, 2015, in a decision issued by the European Court of Justice (ECJ) which invalidated the U.S.-EU Safe Harbor Framework (“Safe Harbor”) – a decision which has companies that regularly transfer personal data from the European Union (EU) to the U.S. struggling to understand available alternatives. Schrems v. Data Protection Commissioner, Case C-362/14 (October 6, 2015).
Up until last week’s decision, the Safe Harbor provided a method for U.S. companies to transfer personal data outside the EU in a way that is consistent with the EU Data Protection Directive, and the consolidated Acts of 1988 and 2003. To join the Safe Harbor, a U.S. company had to “self-certify” to the Department of Commerce that it complied with EU standards. Most U.S. companies doing business in the EU were taking advantage of the Safe Harbor, and self-certifying their compliance.
The Schrems case involved a legal challenge brought by Austrian national Max Schrems. Schrems has been a Facebook subscriber since 2008 through Facebook Ireland. Some or all of the data of Facebook Ireland subscribers residing in the European Union is transferred to Facebook USA’s servers (under the Safe Harbor framework) in the United States, where it is kept.
In June of 2013, Schrems, a then 24 year old law student in Vienna, filed a complaint with the Irish Data Privacy Commission (“Commissioner”), where Facebook has its EU headquarters. He crowdsourced the funding for his case online and petitioned Facebook to get his data – through a process that is outlined in detail on the crowdsourcing website.
The history of Schrems’ lawsuit:
Schrems claimed, in essence, that the law and practices of the U.S. offer no real protection of personal data against government surveillance. His allegation was based largely on the revelations made by Edward Snowden earlier in 2013 concerning the activities of U.S. intelligence services, in particular those of the National Security Agency (“NSA”).
According to the Snowden revelations, the NSA established a program called “PRISM” under which it obtained – as described by the ECJ – the “unrestricted access to mass data stored on servers in the United States owned or controlled by a range of companies active in the internet and technology field . . . .”
Initially, the Commissioner rejected Schrems’ claim as frivolous. Schrems then brought proceedings before the Irish High Court for judicial review of the Commissioner’s decision rejecting his complaint. In its review, the High Court concluded – based on the Snowden scenario and information – that once personal data is transferred to the United States, the NSA and other U.S. security agencies are able to “access it in the course of a mass and indiscriminate surveillance and interception of such data.”
On September 24, 2015, the ECJ Advocate General, Yves Bot, issued a non-binding opinion recommending that the ECJ, through the Schrems case, invalidate the Safe Harbor framework in light of Snowden’s revelations.
While the ECJ was not bound to follow the opinion of the Advocate General, it frequently does so, and did so in this case. The ECJ held that the U.S. failed to show that it collects personal data in a way that is “strictly necessary and proportionate to the protection of national security.” It also specifically mentioned that under the current system, U.S. and EU citizens have “no administrative or judicial means of redress” if their data is used for reasons not originally intended. The court determined that the reasonable solution was to invalidate the Safe Harbor mechanism.
What to do now:
This decision will have serious ramifications for the more than 4,500 companies that currently use the Safe Harbor provisions, as those companies now will have to find other legal means to transfer personal data from the EU to the U.S. At the moment, there seems to be no clear path to that means.
According to a Fortune.com article by Vivienne Walt posted on October 6, 2015, “U.S. and EU officials have been negotiating new Safe Harbor rules since 2013, and in recent weeks both sides have said they were close to agreement. The new rules would likely include assurances – never before made – that governments will not access data of regular citizens.”
In an October 9 article in Bloomberg BNA (“EU Privacy Chiefs to Mull U.S. Data Transfer Future”), author David Alpin says that the “Article 29 Working Party, an advisory group to the European Commission that is made up of representatives from the data protection authorities of the 28 EU member states, is slated to meet in Brussels Oct. 15 to consider offering official guidance to companies reeling from the sudden demise of the [Safe Harbor] program.”
What is obvious at this point is that companies transferring personal data from the EU to the U.S. can no longer rely on the Safe Harbor principles to provide adequate protections for the electronic transfer of that data. Transfer of such data under those circumstances may give rise to complaints by employees and/or customers, investigations by individual data protection authorities, and possible enforcement actions and penalties.
What are the current alternatives? Mechanisms could include consistently enforced corporate rules that permit intra-company transfers, model contract clauses adopted by the European Commission, and consents of data subjects. These alternate methods, however, are costly, time consuming, and often difficult to achieve.
U.S. companies that transfer personal data from the EU to the U.S. – or use U.S.-based cloud services to store or transfer such data – should immediately review contracts related to that data to assure that the agreements conform to existing EU requirements or otherwise are approved by regulators. Then, stay tuned for more issuances on the subject, which are certain to be coming soon.