Twenty years ago, the European Union issued its directive on the privacy of personal data, which was subsequently added to the agreement on the European Economic Area and has been implemented e.g. into Icelandic law. The directive was aimed at ensuring the rights of citizens to their privacy when it comes to their personal data, as the Council of Europe had sought earlier to do, but also to ensure the free flow of personal data between states within the EEA.
On the other hand, the directive did introduce considerable restrictions on the transfer of personal data to third countries outside the EEA, e.g. by mandating that such transfer take place only if the third country in question ensures an adequate level of protection for the personal data that are to be transferred.
After the directive had been issued, the Commission assessed the adequacy of the level of protection afforded to personal data by various third countries outside the EEA, and concluded that a number of them afforded an adequate level of protection, including Switzerland, Canada, and Argentina.
Separate rules for the United States on “Safe Harbours”
In the case of the United States, it was clear from the outset that the general legislation in that country did not contain the necessary safeguards for the Commission to be able to conclude that the country afforded, in general, an adequate level of protection for personal data transferred to there. It was therefore not feasible to award the same status for the United States as a “safe third country” as the aforementioned countries had been given. However, following long and arduous negotiations, an agreement was reached in 2000 that the US Department of Commerce would issue so-called “Safe Harbour Privacy Principles”; that the transfer of personal data to those organizations that adhered to those principles would be permitted; and that the US Federal Trade Commission would monitor compliance to those principles. These organizations should self-certify to the principles and the FTC would then put them on a public registry
. That way, it would always be generally known which were the “safe harbours” for personal data within the United States. The Commission verified this arrangement in a special decision in July of 2000 .
Among those companies that have self-certified to the “Safe Harbour Principles” is the social media company Facebook. In its registration, the company states that it typically receives personal data from its subsidiary, Facebook Ireland Ltd
Maximillian and Facebook
In 2008, Maximillian Schrems, an Austrian citizen, registered for a Facebook account. Following Edwards Snowdens' revelations in 2013, that governmental institutions in the United States enjoyed extended access to personal data stored at numerous companies, including Facebook, Mr. Schrems filed a complaint with the Data Protection Commissioner in Ireland. In essence, Mr. Schrems asked the Commissioner to prohibit Facebook Ireland from transferring his personal data to the United States. He contended that the law and practice in force in the US did not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in there by its public authorities.
The Commissioner rejected the complaint as being unfounded, citing the Commission's decision of 2000 and that under that decision, Facebook was to be considered as being in a “Safe Harbour” within the United States and therefore no further examination was called for on whether personal data was adequately protected within that country.
Mr. Schrems did not accept the Commissioner's dismissal of his complaint and brought an action before the High Court in Ireland, challenging that decision. The High Court observed that in his action, Mr. Schrems in reality questions the legality of the “Safe Harbour” regime as such. Therefore, the court decided to refer two questions to the EU Court of Justice (CJEU) for a preliminary ruling: First, whether the Commission's decision, finding that the “Safe Harbour” scheme provides adequate protection for personal data, is binding on data protection commissioners, precluding them from making their own, independent assessment of the scheme. Secondly, whether a data protection authority may and/or must conduct its own investigation of the matter in the light of factual developments that have happened since 2000, when the Commission decision was first published.
The judgement of the EU Court of Justice
On 6 October 2015, the CJEU issued its judgement in the case
. In it, the court determines that even when the Commission concludes that a third country affords an adequate level of protection to personal data, such a determination does not affect the powers of the data protection authority in a member state to conduct its own assessment of the adequacy of the third country's legislation in this regard. The Commission's decision from 2000 on “Safe Harbours” could therefore not preclude the Irish Data Protection Commissioner from making its own assessment of whether Facebook's “Safe Harbour” provided adequate protection of personal data received from its Irish subsidiary. However, the judgement stipulates that only the CJEU is endowed with the power to declare a Commission decision invalid, and then proceeds to determining the validity of two provisions of the “Safe Harbour” decision, i.e. Art. 1 and 3:
Regarding Art. 1, the court first points out that therein, the Commission asserts that the “Safe Harbour Principles” provide an adequate level of protection for personal data. However, the court then describes how US undertakings – here, Facebook – are bound to disregard, without limitation, the protective rules laid down by the “Safe Harbour” scheme where they conflict with national security, public interest, or law enforcement requirements. US authorities can therefore infringe upon the privacy of data subjects whose personal data are transferred to the USA, without the “Safe Harbour Principles” being fit to avert it .
The court then refers to the importance of limiting data retention, i.e. storage of personal data, to that needed to achieve a legitimate purpose. The judgement declares that “legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data”. The court then goes on to state that legislation that
– permits public authorities to have access on a generalised basis to the content of electronic communications, and
– does not provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data,
must be regarded as compromising the essence of the fundamental rights enshrined in the Charter of Fundamental Rights of the European Union
, on the one hand the right to respect for private life and on the other hand the right to effective judicial protection .
In regards to Art. 1 of the Commission decision, the court concludes by stating that in order for the Commission to adopt such a decision, it must find that the third country concerned in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EEA legal order. However, nowhere in the decision is it stated that the US in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments. It is therefore stated in the judgement that, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of the decision fails this test and that it is accordingly invalid.
As regards Art. 3 of the decision, the court states that its provisions must be understood as denying the national supervisory authorities the powers to independently assess whether a Commission decision, that has found that a third country ensures an adequate level of protection, is compatible with the fundamental rights and freedoms of individuals. As this exceeds the power conferred upon the Commission, Art. 3 of the decision is therefore also declared invalid.
The judgement concludes by stating that as Art. 1 and 3 of the decision are inseparable from Art. 2 and 4, their invalidity affects the validity of the decision as a whole, and it is therefore to be concluded that the Commission's “Safe Harbour” decision of 2000 is invalid in its entirety.
What are the implications of the judgement?
The CJEU judgement has the immediate effect of compelling the Irish Data Protection Commissioner to investigate Mr. Schrems' complaint and render a decision on whether transfers of personal data of Facebook users to the US should be halted.
The wider implications of the judgement are debatable, including its effect on other companies that transfer personal data from the EEA to the US, and the effect on the data subjects in question. It is likely that in the first instance, such effects will not be the same in all the member states, as they have not implemented the privacy directive or the Commission decisions in the same manner. In Iceland, for example, secondary legislation has been enacted, with basis in the Act on the Protection of Privacy as regards the Processing of Personal Data. This secondary legislation declares the transfer of personal data to entities in the US as permitted, provided said entities adhere to the “Safe Harbour Principles” . For the CJEU 's judgement to have effect in the short term, this secondary legislation may need to be repealed or altered. Icelandic laws have not been altered to give any direct effect to either the “Safe Harbour” decisions of 2000, or its provisions that curb assessment or investigative powers of data protection authorities. It is however safe to assume that the CJEU judgement's conclusion, that aspects of US legislation compromises “the essence of the fundamental rights enshrined in the Charter of Fundamental Rights of the European Union”, can have a very great effect if and when the Icelandic Data Protection Authority will be called on to assess the adequacy of the “Safe Harbour” scheme.
It is therefore prudent for companies that rely on the validity of the “Safe Harbour Principles” to seek other means to ensure the legality of their transfer of personal data to the US, e.g. by utilizing the Commission's decisions on standard contractual clauses for the transfer of personal data to controllers or processors in third countries.