Safe harbour no longer safe
The EU's top court declared the Commission decision on the adequacy of the US–EU safe harbour privacy framework invalid. The Schrems ruling (C-362/14) has significant consequences for businesses transferring data across the Atlantic.
If your business uses an online service operated by a US-based company or otherwise transfers personal data to the United States, you may need to take action by, for instance, executing certain model contract clauses or obtaining consents from persons whose data is concerned.
What is the safe harbour?
Under European data protection law, subject to certain derogations, transfer of personal data (any information relating to an identified or identifiable natural person) outside the EEA (European Union plus Iceland, Liechtenstein and Norway) may take place only if the non-EEA country in question ensures an "adequate level of [data] protection". The European Commission may find that a non-EEA country ensures such an adequate level of protection, in which case EU member states are to take the measures necessary to comply with the Commission's decision.
In 2000, the Commission adopted a decision finding the "safe harbour" framework developed by the US Department of Commerce (DOC) in consultation with the Commission to ensure adequate level of protection for personal data transferred from the EU to organisations established in the United States. To benefit from the safe harbour, the US organisation must unambiguously and publicly disclose its commitment to comply with the safe harbour principles. The DOC maintains a list of organisations that have self-certified compliance with the principles. There are some 4,400 current certifications on the list.
Why was it declared invalid?
As is well known, a number of revelations have brought to light the existence of large-scale information-collection programmes in the United States. According to those revelations, the US National Security Agency operates a programme called "PRISM" under which it may obtain communications stored on servers in the United States for foreign intelligence purposes. All companies involved in the PRISM programme appear to be certified under the safe harbour scheme.
In its judgment of 6 October, the Grand Chamber of the Court of Justice of the EU de-clared the Commission's 2000 decision invalid, holding that it did not state that the US in fact "ensures" an adequate level of protection by reason of its domestic law or its international commitments.
The Court held, moreover, that the Commission had exceeded the power that was conferred on it in the underlying directive of the European Parliament and of the Council. Respect for private and family life, protection of personal data and right to an effective remedy and to a fair trial enshrined in the Charter of Fundamental Rights of the EU played a key role in the Court's argumentation, as they did previously in Digital Rights Ireland and Others (C-293 and 594/12), where the Court invalidated the so-called data retention directive.
What are the ramifications of the ruling?
Seeing that the safe harbour scheme was declared invalid in its entirety and without any transition period (but not retrospectively), transfer of personal data to the United States now requires another criterion for making it legitimate. Under the Finnish Personal Data Act (523/1999, as amended), a transfer or a set of transfers of personal data to a non-EEA country not necessarily ensuring an adequate level of protection may take place, for example, if:
- the data subject (the identified or identifiable natural person) has unambiguously consented to the transfer;
- the transfer is made by using so-called standard contractual clauses adopted by the Commission; or
- the transfer is made by using other contractual clauses (e.g. so-called binding corporate rules), which the Commission has not found inadequate.
If you cannot resort to any of these statutory derogations, the legitimacy of the transfer must be assessed on a case-by-case basis by considering circumstances such as the nature of the data, the purpose and duration of the proposed processing operation or operations, and the law and practices in force in the United States. Also, the obligations to notify the supervisory authority, in Finland, the Data Protection Ombudsman, will need to be taken into account.
The king is dead, long live the king – or What happens next?
Two years ago, the Commission made 13 recommendations to improve the functioning of the safe harbour scheme and called the US authorities to identify remedies. The par-ties have been stuck in negotiations that were supposed to have finished months ago, but this ruling shifts the goalposts. It is no longer about improving an existing scheme, but rather about trying to hammer out a new deal that would fit the parameters posited by the Court. At the same time, the Commission, the European Parliament and the Council are dotting the i's and crossing the t's concerning the so-called general data protection regulation that will comprehensively reform the data protection rules in the European Union.
In the meantime, there is an immediate need for individual businesses to identify a new criterion for legitimising the continued use of services provided by US-based companies for processing personal data. If none of the derogations discussed above are applicable, one must be prepared that a supervisory authority of an EU member state examines the claim of a person concerning the protection of his or her rights and freedoms with regard to data that is uploaded to, say, a cloud service operated in the United States and, on that basis, suspends such use.