In brief, Schrems, an Austrian law student, challenged Facebook’s practice of storing personal data on US-based servers, a practice that allegedly allows the National Security Agency (“NSA”), or similar US intelligence organisations, to have easy access to the personal data of EU citizens.
Schrems had filed a complaint with the Irish Data Protection Commissioner (“IDPC”) since Facebook has its European presence in Ireland. The IDPC, however, dismissed Schrems’ complaint on the grounds that the “Safe Harbour” scheme prevents the IDPC from evaluating whether the complaint was reasonably justified. The decision on “Safe Harbour”, which was released by the European Commission (“EC”) in 2000 (Decision 2000/520/EC), basically states that a US-based company that has successfully completed a “Safe Harbour” self-certification procedure is deemed to ensure a data protection level that is adequate to meet European requirements. As a consequence, Safe Harbour-certified US companies are allowed to receive personal data from European companies (or individuals) without further restrictions, such as the need to obtain approvals from European data protection authorities. Since Facebook is a Safe Harbour-certified company, and thus allegedly ensures an adequate level of data protection consistent with EU requirements, the IDPC claimed that the legitimacy of storing Facebook data in the US could not be assessed under national Irish data protection law. Schrems challenged this ruling in Ireland’s High Court and the case ultimately ended up before the European Court of Justice (“ECJ”), the EU’s highest court.
The ECJ has now ruled that the existence of an EC decision on a third-country data protection adequacy level does not prevent national supervisory authorities from exercising their examination obligations. According to the Court’s ruling, the IDPC is therefore required to examine Mr Schrems’ complaint and to decide on the legitimacy of Facebook’s transferring of data to the US.
The most interesting element of the ECJ’s ruling, however, goes beyond the matter of Facebook’s data transfers: The ECJ has ruled that the “Safe Harbour” scheme is invalid. However, in doing so, the Court refrained from making a statement on the adequacy of the “Safe Harbour” scheme in and of itself. Rather, the ECJ took a critical view of the fact that US national security, public interests and law enforcement entitlements have primacy over the Safe Harbour principles, and that the EC’s decision on Safe Harbour did not contain any findings on the consequences arising from this primacy. In essence, the Court reasoned that adequacy with European data protection law, which requires any interference with the protection of personal data to be performed in a limited and proportional manner, and which asks for effective judicial protection, cannot be ensured if there are no findings on the question of whether the third country’s law complies with these requirements. In other words: The ECJ declared the EC’s Safe Harbour decision invalid due to the decision’s incomplete findings.
Impact of the ruling
In assuming this stance, the ECJ did not really make a statement on whether US domestic law is adequate. Nor has the ECJ introduced obstructions to potential negotiations of a new Safe Harbour agreement. Rather, the Court’s ruling gives guidance on the findings required for a new EC decision in order to sufficiently “ensure” that the third country’s data protection level is adequate and – no less important – to give the ECJ the opportunity to examine the accuracy of such a new decision.
Currently, US companies try to remediate their (now invalid) Safe Harbor registrations by implementing standard contractual clauses. Whether or not this proves to be an adequate solution will have to be seen since the ECJ’s considerations on improper findings in the EC “Safe Harbor” Decision by and large apply likewise to the EC Decisions on standard contractual clauses. Another, although admittedly innovative, approach might be to reconsider the nature of international data transfers right from scratch. As pointed out in the “Data Under Control” Article in this Roadmap, it might turn out in multiple scenarios that data that is transferred out of Austria and, ultimately out of Europe, is by way of strict legal interpretation not transferred by an Austrian data controller to a non-European located data controller but is rather “directly” collected by the non-European located data controller. This view ultimately would lead to an overall non-applicability of those data transfer regulations that are now under critical consideration.
No matter which way “Safe Harbour” goes: The concept of international data transfers will now have to be reconsidered right from scratch.