www.pdpjournals.com PRIVACY & DATA PROTECTION VOLUME 16, ISSUE 1

n 6th October 2015, the from Europe in compliance with the Court of Justice of the Directive. The demise European Union (‘CJEU’) O gave its judgment in the Until the CJEU’s judgment in Schrems, case of v Data Protection organisations that self-certified to the of the Commissioner of Ireland (Case C- Safe Harbor framework were legally 362/14). As has been widely reported, permitted to receive personal data the CJEU declared the US-EU Safe originating from Europe. The framework US-EU Safe Harbor, a mechanism that has facilitat- itself comprised a set of Privacy ed the transfer of personal data be- Principles and Frequently Asked tween the EU and the US for 15 years, Questions. To certify to the Safe to be invalid. It also found that national Harbor, organisations: (1) conformed Harbor Data Protection Authorities (‘DPAs’) their privacy practices to meet the are not absolutely bound by adequacy requirements of the Safe Harbor decisions of the , Privacy Principles; (2) filed a self- and may conduct their own investiga- certification form with the Department tions into whether transfers of personal of Commerce; and (3) published a Safe data are subject to an adequate level of Harbor privacy policy, stating how the protection. company complied with the Privacy Principles. The decision has attracted lurid media headlines and has created a sense of panic in some quarters. Organisations EU criticism of Safe Harbor are now scrambling to implement alternative data transfer mechanisms EU criticism of Safe Harbor is nothing ahead of anticipated DPA enforcement new, but it intensified following Edward actions. Snowden’s disclosures in June 2013.

Prior to that, in April 2010, the Bridget Treacy, Partner, The facts Düsseldorfer Kreis (a working group comprised of the 16 German state and James Henderson, In the wake of ’s DPAs responsible for the private revelations about the widespread sector), issued a resolution requiring Associate, Hunton & access to personal data enjoyed by additional diligence on the part of Williams, examine the US intelligence agencies, Mr Schrems, German data exporters transferring an Austrian privacy campaigner, made data to Safe Harbor certified entities. uncertain position left by a complaint to the Irish DPA, challeng- By requiring additional diligence, the the CJEU after it declared ing Facebook’s use of Safe Harbor to German DPAs appeared to question transfer personal data to the US. the European Commission’s decision Safe Harbor invalid that Safe Harbor certification is suffi- Mr Schrems alleged that the Safe cient to demonstrate an adequate Harbor did not provide an adequate level of protection for personal data. level of protection for EU personal data in the US. He asked the Irish DPA to In July 2012, the Article 29 Working examine its validity and, if necessary, to Party adopted an opinion on cloud suspend ongoing transfers of personal computing in which it similarly conclud- data to the US by Facebook. ed that EU data exporters could not rely on self-certification alone. The Working Party noted that in order to legitimise Origins of Safe Harbor data transfers to cloud vendors located in the US, data exporters may need to The Safe Harbor framework was devel- obtain evidence of compliance with the oped to address European concerns Safe Harbor framework. that data privacy protections in the US were not ‘adequate’, as required by Following the Snowden revelations, Article 25(1) of the EU Data Protection the rumblings of discontent with Safe Directive (‘Directive’). The framework Harbor crystallised when the European was negotiated by the US Department Parliament called on the European of Commerce and the European Com- Commission to review Safe Harbor, mission to bridge the different privacy claiming that the PRISM programme approaches in the US and Europe, and and access to personal data originating to provide a streamlined means for EU from the EU by US law enforcement organisations to transfer personal data (Continued on page 4) www.pdpjournals.com PRIVACY & DATA PROTECTION VOLUME 16, ISSUE 1

(Continued from page 3) conduct their own investigation into basis by US law enforcement and whether transfers of personal data intelligence agencies would mean agencies constituted a ‘serious viola- are subject to an adequate level of that EU citizens’ personal data are tion’ of the Safe Harbor Agreement. protection. In addition, the Court went not adequately protected. further than the specific question referred to it, and considered whether Prior to publication of the judgment, Mr Schrems’ claim Decision 2000/520 on which the the US trade mission to the EU was Safe Harbor rests is valid. The quick to rebut assumptions concern- Mr Schrems’ complaint was made CJEU decided that it is not. ing Snowden that had appeared in against the backdrop of this growing the Advocate General’s Opinion, stat- European discontent with Safe ing that “[t]he United States does not Harbor. He did not at- Meaning of and has not engaged in indiscriminate tack the Safe Harbor ‘adequate’ surveillance of anyone, including ordi- principles directly, but nary European citizens”, and that the PRISM programme “is in fact targeted attacked the activities In considering the “In the against particular valid foreign intelli- of US law enforcement validity of Decision gence targets, is duly authorized by and intelligence agen- immediate 2000/520, the Court law, and strictly complies with a num- cies and their access noted that the require- aftermath ber of publicly disclosed controls and to and use of EU per- ment of ‘adequacy’ limitations.” sonal data in the US. of the does not mean that a judgment, a third country must en- Schrems’ central sure a level of protection claim was that the number of for personal data that is Absence of right of redress Safe Harbor no longer affected ‘identical’ to that guaran- for EU citizens in US provided an adequate teed in Europe. Rather, level of protection for companies the level of protection Another important factor for the CJEU personal data, because have already for fundamental rights was that EU citizens have no right of of US agencies’ blanket and freedoms must be redress in the US in relation to the access to data, as started to ‘essentially equivalent’ use of their data by such agencies. revealed by Edward implement to those guaranteed in Snowden. Mr Schrems Europe. This is a ques- In the EU, the right of redress to an requested that the Irish alternative tion of fact that requires independent authority is a fundamen- DPA order Facebook to data transfer consideration of domes- tal right and essential to ensure that suspend data transfers tic law and a country’s individuals are protected. Although to the US under Safe mechanisms. international commit- the Federal Trade Commission in Harbor. Some ments. Further, as the US is responsible for ensuring the level of protection that companies do not engage in The specific question vendors have may change, the court unfair or deceptive trade practices referred to the CJEU proactively considered that the (including misrepresentation as to by the Irish High Court Commission would their compliance with the Safe Har- was whether the Irish sent need to ‘check periodi- bor), its jurisdiction does not extend DPA was bound by the pre-executed cally’ whether the ade- to use of data by law enforcement Commission’s adequa- quacy finding remained agencies. Consequently, the CJEU cy decision on Safe Model ‘factually and legally was of the view that the Safe Harbor Harbor, precluding Clauses to justified’. does not provide an adequate level any investigation by the of protection for personal data. DPA into the protection EU clients.” afforded to data trans- Surveillance It should be noted that the CJEU did ferred in those particu- by US law not engage in any direct comparison lar circumstances, or between the use of data by US law whether the DPA could enforcement enforcement and intelligence agen- conduct its own investigation into cies, and those in the EU. Edward the ongoing adequacy of the Safe Decision 2000/520 provides that Snowden’s revelations revealed simi- Harbor, in light of the factual develop- national security and law enforcement lar surveillance activities carried out ments since the Commission’s ade- considerations have primacy over by EU-based intelligence agencies, quacy decision (Decision 2000/520). the Safe Harbor Principles. The court particularly those in the UK. found that this general derogation enabled interference with the funda- The use of personal data in the EU CJEU’s judgment mental rights of European citizens, for the purposes of law enforcement without limit or effective legal protec- and the protection of national security tion. In other words, although organi- The CJEU found that national DPAs is not subject to the Data Protection sations might certify to, and in fact are not bound by Commission ade- Directive, and arguably the use of comply with, the Safe Harbor Princi- quacy decisions, but are entitled to data by EU-based intelligence agen- ples, access on a generalised www.pdpjournals.com PRIVACY & DATA PROTECTION VOLUME 16, ISSUE 1

cies is subject to no greater level of the Safe Harbor. In the absence of and the extent to which they may be supervision or proportionality to that this, organisations will need to consid- covered by other data transfer mecha- of US-based intelligence agencies, a er their data transfer strategy on a nisms or the derogations available point noted by several commentators. country-by-country or even case-by- under the Directive. Appropriate solu- EU citizens may, however, bring court case basis. tions will depend on the nature and action in their jurisdiction to object to extent of a company’s EU-US cross the use of their data for such purpos- border data flows. Apparently simple es, but are not currently afforded Validity of other transfer alternatives to Safe Harbor, such equivalent rights in the US. as Model Clauses, require careful mechanisms questioned planning, not least to ensure that the clauses will cover the correct Implications for business A further source of uncertainty con- data flows, and are executed by the cerns the validity of other available correct entities. Approximately half of data transfer mechanisms, such as The CJEU’s decision has created the EU Member States require Model Model Clauses. significant uncertainty for business. Clauses to be filed with the DPA or Whilst the suspension of the Safe approved by them, and DPA registra- At the heart of the Schrems case is Harbor is of immediate concern for tions may need to be updated. the fact that US law enforcement and the 4,000 companies that currently intelligence agencies have the ability hold a Safe Harbor certification, it Some organisations are turning to to access EU personal data once they also raises the prospect of disruption Binding Corporate Rules. These offer are held in the US. The access rights for the many thousands of EU affili- a good solution but are a longer term of US law enforcement and intelli- ates and customers that rely on the project. gence agencies to data transferred Safe Harbor certifications of those to the US are not specific to data companies. In the UK, the Information Commis- transferred under the Safe Harbor, sioner’s Office (‘ICO’) has indicated but apply to data transferred under The CJEU judgment has created a that it might allow organisations an other mechanisms, such as the EU vacuum and significant uncertainty for initial grace period. The Article 29 Model Clauses. It remains to be seen all organisations that rely on the Safe Working Party has also issued a whether other data transfer mecha- Harbor. statement, saying that pending a long nisms will be challenged but, for now, term solution, BCRs and Model Claus- Model Clauses and the other mecha- es may be used to legitimize EU/US National DPAs may nisms remain valid. data transfers. The Working Party urged for that solution to be in place investigate transfers The Court gave some reassurance by January 2016. in relation to the validity of other data Some of the present uncertainty transfer mechanisms. While recognis- stems from the CJEU’s ruling that ing that national DPAs are required Future of the US-EU Safe national DPAs must investigate the to investigate complaints, the Court adequacy of protection afforded to explicitly reserved to itself the power Harbor framework? transfers of personal data outside of to invalidate other adequacy the EU where data subjects lodge decisions. These decisions could Negotiations to improve the US-EU complaints. be subject to challenge, but this would Safe Harbor Framework between require a referral of the case to the the European Commission and the Prior to the Schrems case, CJEU and a finding by the court that US Department of Commerce are organisations were afforded a degree the adequacy decision was invalid. ongoing. ‘Safe Harbor 2.0’ has not of certainty in relation to reliance on The result is that, at least in the short yet been agreed. Despite calls for the Safe Harbor and other adequacy term, the other available transfer a formal statement on the revised decisions. Following Schrems, organi- mechanisms remain valid. regime, Safe Harbor 2.0 remains sations may need to contend with in limbo, and it remains to be seen different approaches adopted in indi- whether it is now a realistic prospect vidual Member States or, in a worst Immediate next steps at all. While the original Safe Harbor case scenario, different approaches may have been consigned to history, the future without it currently looks adopted on a case by case basis. In the immediate aftermath of the uncertain. judgment, a number of affected com- The Article 29 Working Party is dis- panies have already started to imple- cussing these issues and is expected ment alternative data transfer mecha- to issue guidance in the coming days. nisms. Some vendors have proactive- Bridget Treacy and James ly sent pre-executed Model Clauses to Henderson The European Commission has EU clients. also announced its intention to Hunton & Williams publish guidance. It is crucial that any Before doing anything, businesses [email protected] such guidance adopts a coordinated should first assess the nature and [email protected] approach, providing consistency for extent of their EU-US data flows, organisations that previously relied on