The Court of Justice of the European Union has produced a landmark decision in Maximillian Schrems v Data Protection Commissioner (C‑362/14). The ruling may have huge economic and political repercussions for the tech industry in the next months.
This is a case that requires some context if you are unfamiliar with DP safe harbors. Art 25 of the Data Protection Directive 95/46/EC contains a set of data protection principles, the first two of which clearly state that personal data from European citizens can only be transferred to a third country if the recipient territory provides an adequate level of protection for that data. The level of adequacy will take into account several circumstances, such as “the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.”
The DP Directive was enacted just as the Internet was starting to become widespread, and just as it is today, it was very US-centric. So it became clear that in order to comply with adequacy requirements, DP authorities would have to declare the United States as having an adequate level of protection to personal data, but such declaration was impossible because that country does not have any data protection laws worthy of the name. Only a few countries have been given adequacy status by the Commission, these are Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay. But something had to be done about the United States, which is by far the largest destination of personal data from Europe.
Cloud services, electronic commerce transactions, social media, email, messaging, user data, contact details, customer and employee data. Most often will be exported at some point.
So European institutions came up with a way to go bypass having to give the US adequacy status. In 1999 the Commission started discussions with the US government to allow the creation of a so-called ‘Safe Harbor’ allowing the transfer of personal data to the United States without having to declare that US law complied with DP requirements. The agreement reached in 2000 allowed the transfer to companies in the US that signed up to the “Safe Harbor Privacy Principles”, a condensed version of the provisions contained in the DP Directive. The companies also agreed to be held responsible for keeping to those principles by the US Federal Trade Commission (FTC) or other oversight schemes (see a list of companies here).
The system has been working for 15 years without incident, US companies used the Safe Harbor to pretend that they cared about data protection, and it undoubtedly allowed the vast interchange of information across the Atlantic to continue. But then Edward Snowden showed us just how much the very companies that had signed up to safeguard our data were complicit in violating every single data protection principle.
Here is where things get interesting. Schrems then brought an action to the Irish High Court trying to get the DPC’s decision overturned. The High Court decided that, while surveillance can serve an important role in protecting the public, Snowden had demonstrated a ‘significant over-reach’ on the part of the NSA and other US federal agencies. The High Court continued to state that EU citizens have no legal recourse to stop such surveillance, and that the indiscriminate nature of the intrusion clearly violates the principle of proportionality expressed in the DP Directive. The High Court concluded that to continue allowing authorities to “access electronic communications on a casual and generalised basis without any objective justification” contravenes Arts 7 and 8 of the Charter of Rights. However, the High Court stated that it could not proceed because this was a matter of European law, namely, the Commission had created the Safe Harbor allowing the transfer of personal data to the US, and the court could not oppose that decision. So the question came down to the legality of the Safe Harbor. The High Court then referred the question to the CJEU:
‘(1) Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article 25(6) of Directive [95/46] notwithstanding?
(2) Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published?’
In answer to those questions, the CJEU has given us one of the biggest legal victories in years, probably matched only by Google Spain. The CJEU carefully considered the different rights involved, and decided that the existing Safe Harbor was invalid because it clearly did not protect European citizens adequately. The Court considered that the DP Directive had given Member States the power to create national authorities tasked with the obligation to determine how personal data is being used. By relying on the Safe Harbor decision, the data protection authorities would not have the power to examine claims lodged by data subjects, which would erode the very core principles behind the data protection regime. The Court says:
“In the converse situation, where the national supervisory authority considers that the objections advanced by the person who has lodged with it a claim concerning the protection of his rights and freedoms in regard to the processing of his personal data are well founded, that authority must […] be able to engage in legal proceedings. It is incumbent upon the national legislature to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national courts in order for them, if they share its doubts as to the validity of the Commission decision, to make a reference for a preliminary ruling for the purpose of examination of the decision’s validity.”
So the Court had to decide whether the Commission Safe Harbor decision was valid, to do so they examined if the system of self-certification provided adequate levels of protection. They comment:
“Whilst recourse by a third country to a system of self-certification is not in itself contrary to the requirement laid down in Article 25(6) of Directive 95/46 that the third country concerned must ensure an adequate level of protection ‘by reason of its domestic law or … international commitments’, the reliability of such a system, in the light of that requirement, is founded essentially on the establishment of effective detection and supervision mechanisms enabling any infringements of the rules ensuring the protection of fundamental rights, in particular the right to respect for private life and the right to protection of personal data, to be identified and punished in practice.“
The Court examined the Safe Harbor system and found it wanting, particularly because the FTC tended to enforce it only when it came to commercial disputes, and did not intervene with regards to the actual protection of fundamental rights. The lack of oversight, and the existence in the US of legislation allowing widespread surveillance, would amount to a contravention of European citizen’s rights:
“ In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter […]. Likewise, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection […]. The very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law”.
The CJEU had no other choice but to declare the Safe Harbor invalid.
We are in uncharted territory. The Internet of 1999 was very different to the multinational server farm world that we have now. There are social media companies whose business model is predicated on the movement of personal data, they literally trade with information. These companies will immediately have to ensure that they are not exporting data from European customers. There have been suggestions that enterprises will start relying on Binding Corporate Rules or Model Contract Clauses, which are unilateral actions by an undertaking promising to comply with the Data Protection principles. The agreement from most experts seems to be that these are also invalid, as they do not guarantee the rights of European citizens. (Edited to add) While the clauses and rules have not been declared invalid and it is possible that companies will use them in the short term, the entire US system has been declared inadequate, so it is just a matter of time before they are specifically brought down.
And this is one of the most delightful elements of the ruling. Here we have two courts (if we count the High Court) telling us that the Snowden revelations have uncovered a level of surveillance that is unacceptable and that runs contrary to European law. The potential for violation of those principles is such that the entire US is deemed inadequate. This will surely include puny model clauses and corporate rules.
So the tech industry has been immediately thrown into crisis. The first action will be that companies will probably try to reduce the amount of data exports, probably by setting up European-only services. Could it be possible that some companies will just abandon Europe in disgust? Could it even be possible that the data export principle will be removed from the new Data Protection Regulations? Surely it is too late for that.
To me the most far-reaching element of the decision is that it acts as direct recognition that Snowden’s actions were in the public interest, and that we are better off knowing what is being committed in the name of security. The fact that the CJEU has ruled that the US surveillance apparatus is in direct contravention of Arts 7 and 8 of the Charter of Rights cannot possibly be understated, as it may offer avenues for further litigation. Buckle up, this ride may get a little bit bumpy.
Every cloud has a silver lining. Unless they send personal data to the US, in which case the outlook is decidedly dark.