Yesterday, the European Court of Justice (ECJ) followed Advocate General Yves Bot's recommendations in the ECJ Case C-362/14 (Maximilian Schrems vs Data Protection Commissioner) and declared the Commission's US Safe Harbour Decision invalid.
In brief, Schrems, an Austrian law student, challenged Facebook's practice of storing personal data on U.S.-based servers, a practice that allegedly allows the NSA, or similar United States intelligence organizations, to have easy access to the personal data of EU citizens.
Schrems had filed a complaint with the Irish Data Protection Commissioner since Facebook has its European presence in Ireland. The Irish Data Protection Commissioner, however, dismissed Schrems' complaint on the grounds that the "Safe Harbour" scheme prevents the Commissioner from evaluating whether the complaint was reasonably justified. The decision on "Safe Harbour", which was released by the European Commission in 2000 (Decision 2000/520/EC), basically states that a U.S.-based company that has successfully completed a "Safe Harbour" self-certification procedure is deemed to ensure a data protection level that is adequate to meet European requirements. As a consequence, Safe Harbour-certified U.S. companies are allowed to receive personal data from European companies (or individuals) without further restrictions, such as the need to obtain approvals from European data protection authorities. Since Facebook is a Safe Harbour-certified company, and thus allegedly ensured an adequate level of data protection consistent with EU requirements, the Irish Data Protection Commissioner basically claimed that the legitimacy of storing Facebook data in the United States could not be assessed under national Irish data protection law. Schrems challenged this ruling in Ireland's High Court and the case ultimately ended up before the ECJ, the EU's highest court.
The ECJ has now ruled that the existence of a Commission decision on a third-country data protection adequacy level does not prevent national supervisory authorities from exercising their examination obligations. According to the Court's ruling, the Irish Data Protection Commissioner is therefore required to examine Mr Schrems' complaint and to decide on the legitimacy of Facebook's transferring of data to the United States.
The most interesting element of the ECJ's ruling, however, goes beyond the matter of Facebook's data transfers: The ECJ has ruled that the "Safe Harbour" scheme is invalid. However, in doing so, the Court refrained from making a statement on the adequacy of the "Safe Harbour" scheme in and of itself. Rather, the ECJ took a critical view of the fact that U.S. national security, public interests and law enforcement entitlements have primacy over the Safe Harbour principles and that the Commission's decision on Safe Harbour did not contain any findings on the consequences arising from this primacy. In essence, the Court reasoned that adequacy with European data protection law, which requires any interference with the protection of personal data to be performed in a limited and proportional manner and which asks for effective judicial protection, cannot be ensured if there are no findings on the question of whether the third country's law complies with these requirements. In other words: The ECJ declared the Commission's Safe Harbour decision invalid due to the decision's incomplete findings.
In assuming this stance, the ECJ did not really make a statement on whether U.S. domestic law is adequate. Nor has the ECJ introduced obstructions to potential negotiations of a new Safe Harbour agreement. Rather, the Court's ruling gives guidance on the findings required for a new Commission decision in order to sufficiently "ensure" that the third country's data protection level is adequate and – no less important – to give the ECJ the opportunity to examine the accuracy of such a new decision.
Yet, apart from the abovementioned considerations regarding a new Safe Harbour decision, the ECJ's ruling certainly has an impact on the other international data transfer concepts, such as the concept of Standard Contractual Clauses. The Court's considerations on the Commission's improper findings might apply in a similar manner to the Commission's decisions on the Standard Contractual Clauses. It will therefore be of particular interest to see how the national supervisory authorities react to the ECJ's rulings not only with respect to Safe Harbour, but also with respect to the concept of Standard Contractual Clauses and, not to mention, Binding Corporate Rules.
By Günther Leissler, Counsel, Schoenherr