The European Court of Justice (ECJ) has finally given its landmark ruling on the case brought by Max Schrems against the Irish Data Protection Commissioner (DPC). Mason Hayes & Curran discusses the fallout.
As has been well reported, yesterday, the ECJ handed down its long-awaited judgment on Schrems v DPC (C-362/14). The Court found that the Safe Harbour system facilitating the export of personal data from the EU to the USA is ‘invalid’.
But what does this mean for international business, and what are the next steps?
1. The judgment is less restrictive for businesses than the AG’s opinion
The judgment doesn’t go quite as far as the Advocate General Bot’s opinion, which suggested that EU Commission decisions approving international data transfers were not binding on national data protection authorities (DPAs).
As we previously noted, the AG’s position was quite problematic from the perspective of legal certainty and inconsistent with basic principles of EU law. The fact that the court has not followed this aspect of the AG’s opinion is to be welcomed.
2. Businesses that rely on Safe Harbour need to look at alternative ways of transferring personal data to the US
It is very important to note that this ruling does not prohibit or restrict transfers of personal data from the EU to the US. The judgment simply finds that Safe Harbour – just one of a number of different legal processes that could be used to lawfully move data from Europe to the US – is invalid. There are a number of alternative approaches that can still be used.
In particular, personal data can still be transferred to the US where the underlying individuals have given their consent to such transfer or where EU Commission-approved Standard Contractual Clauses (SCCs) – a special type of data processing agreement – are in place.
However, paragraph 92 of yesterday’s ECJ judgment states that “derogations and limitations in relation to the protection of personal data” should apply “only in so far as is strictly necessary”.
This means that user consent and SCCs still allow for the transfer of data. However, as derogations, these options need to be used with care and are likely to be scrutinised by national DPAs and courts.
Another potential option would be the adoption of ‘binding corporate rules’ (BCRs), a complex arrangement whereby an international corporate group agrees detailed data-sharing protocols that are reviewed and agreed by various DPAs. BCRs are quite a complex, time-consuming and an often costly route to compliance, and are not suitable for most companies.
3. Only the ECJ can review EU rules designed to facilitate international data transfers
Importantly, the ECJ has reiterated that it – and it alone – is the only body empowered and entitled to review the validity of European Commission decisions. The AG’s opinion suggested that national data protection authorities are empowered to review the validity of these decisions, but the ECJ has categorically ruled that this is not the case.
In other words, national DPAs remain bound to follow European Commission decisions permitting international data transfers – such as the decisions approving SCCs – even if the DPAs disagree with them. Any issues about the legality of such decisions need to be decided by the ECJ.
4. Safe Harbour 2.0 is possible
The AG’s opinion set out an extensive (and likely unworkable) list of requirements for a new Safe Harbour deal. The judgment is more limited in its scope.
Indeed, the ECJ appears to have left the door open for some sort of Safe Harbour 2.0 proposal if new arrangements can be agreed with the US. The court appears to envisage a situation where the Commission may issue a new Safe Harbour-style decision. Such a decision may allow for the transfer of personal data to the US, but with more robust security and transfer protocols than the current regime.
It is clear, however, that any such decision would need to provide EU residents with greater rights of recourse in the US courts than is currently the case. It is less than clear how flexible the US will be in its discussions with the Commission in this respect.
5. The decision is most problematic for EU-based data processors
Due to a gap in EU legislation, EU-based data processors cannot clearly rely on SCCs to justify data export. As a result, transfers to US sub-processors were – traditionally – justified by reference to Safe Harbour. Obviously, this is no longer an option.
As a result, this judgment may have the biggest impact upon EU-based data processors, such as cloud storage companies, that would typically host some or all of their data in the US.
In such cases, it may be necessary to ensure that the underlying individuals have consented to the transfer of their personal data to the US. This may not always be easy to achieve, particularly if the processor has no direct contractual relationship with the underlying individuals.
This article was written by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.
Main image via Shutterstock