The last year’s judgment of the Court of Justice of the European Union (CJEU) on the “right to be forgotten” (Google v. AEPD) was surprising, in part because it was a rare instance in which the Court departed from opinion of the Court’s Advocate General (A.G.). In contrast, hardly anybody was surprised by the most recent judgment on another controversial data protection issue – transfer of personal data from European Union to the United States under the Safe Harbor regime. This time, the Court agreed with nearly everything the A.G. concluded in his opinion on the issue. That notwithstanding, the judgment of 5 October 2015 in the case Maximilian Schrems v. Office of the Commissioner gives rise to even more controversy than the decision in Google v. AEPD.
In the opinion of many, the Google judgment went too far in restricting freedom of expression in order to ensure the protection of personal data. In Schrems, the principal values in conflict were, on the one hand, protection of privacy and personal data, and, on the other hand, the freedom to conduct a business (which requires free movement of personal data across national borders). Both conflicting rights are recognized by the Charter of Fundamental Rights of the European Union. The Court sided completely with the right to protection of privacy and personal data and made no reference whatsoever to fundamental freedom to conduct a business. Instead, the court juxtaposed “the interests requiring free movement of personal data” to the two fundamental rights.
Schrems annuls the so-called Safe Harbor scheme which, following its introduction in 2000, enabled companies located within the E.U. to export to the United States personal data of citizens of the E.U. Member States. More than 4,000 U.S. companies have certified themselves as providing adequate security and overall protection of the personal data they control. Transfer of data to a Safe Harbor-certified company in the United States did not require authorization from the data protection authority (DPA) in the E.U. Member State from which the data were being transferred. The U.S. Federal Trade Commission has been in charge of overseeing the compliance of the self-certified U.S. companies with the standards under the Safe Harbor regime.
The annulment of the Safe Harbor regime means that transfer to the Safe Harbor certified companies is from now on unlawful, unless some other legal basis for a transfer exists. While the impact of the annulment will be most felt in the E.U. and the United States, other countries will also be to some extent affected. For example, the Montenegrin data protection legislation indirectly recognizes the concept of Safe Harbor (as will be explained in the concluding paragraphs of this blog post). A bill proposing new data protection legislation in Serbia could also be interpreted as enabling data exporters to the United States to rely on the Safe Harbor mechanism – as it existed before 5 October of this year – as a legal basis for the transfer. The annulment of the Safe Harbor regime triggers the need that the relevant parts of the law in Montenegro and the likely future law in Serbia be interpreted differently than what would be the case if the CJEU had left Safe Harbor in force.
What the judgment says
The CJEU found a fundamental deficiency in the two annexes to the European Commission Decision 2000/520/EC of 26 July 2000 – a key instrument establishing the Safe Harbor mechanism. The Decision states that the applicability of the safe harbor principles may be limited “to the extent necessary to meet national security, public interest, or law enforcement requirements”. It also confirms that “where US law imposes a conflicting obligation, US organizations whether in the safe harbor or not must comply with the law”.
It is due to such provisions, the Court said, that “the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security”.
The Court relied exclusively on the findings from two documents (Communications) adopted by the European Commission in November 2013, about the interferences by the U.S. national security and law enforcement agencies with the right to privacy and protection of personal data. The Commission did not bring into question the need for a continued existence of the Safe Harbor scheme, but it sought to have it reformed in order to counteract the large-scale access by national security and law enforcement agencies to data transferred to the U.S. by Safe Harbor certified companies.
Quite a few experts claim that the national security and law enforcement agencies in the major European countries are not more appreciative of privacy and the protection of personal data than their counterparts in the United States. A study by the nonprofit Center for Democracy & Technology found that, against most benchmarks, the United States national security and law enforcement agencies provided the same or greater level of protection of personal data as their counterparts in the other most developed countries.
Be it as it may, derogations in relation to the protection of personal data are permissible under the case law of the Court of Justice of the European Union only in so far as they are strictly necessary. The Safe Harbor scheme, in the CJEU’s reading, fails the test because the U.S. legislation permits the U.S. public authorities to access on a generalized basis the content of electronic communications, while failing to provide for effective judicial review of such practices.
No workable alternative in sight?
Safe Harbor has not been the only ground for lawful transfer of personal data from the E.U. to the United States. Now that the Safe Harbor is annulled, lawyers and businessmen are trying to figure out whether there are alternative grounds for continued transfer of personal data to the United States while hoping that the United States will change its surveillance policies in a way that opens room for adoption of a new, faultless, version of Safe Harbor.
Such alternative grounds do exist. On the same day the Court issued its ruling in Schrems, Vera Jourová, European Commissioner for Justice, Consumers and Gender Equality, referred to “standard data protection clauses in contracts”, “binding corporate rules for transfers within a corporate group”, “performance of a contract”, important public interest grounds such as co-operation between authorities in the fight against fraud cartels, the vital interest of the data subject, or – if none of the above is available – “the free and informed consent of the individual”.
However, it is significantly more difficult to rely on any of these grounds than it was to rely on the now defunct Safe Harbor. Some of the grounds, like “the vital interest of the data subject” or “important public interest”, are rarely applicable. Obtaining the data subject’s consent to the transfer of his or her personal data is in principle always an option. Obtaining such consent is, however, a challenge. Not every data subject is willing to provide his or her consent to the transfer of the personal data to the United States, and the person can always revoke the consent. The consent must be obtained from each data subject individually, often in writing. There is also a tendency among the DPAs in Europe to not consider consent at workplace as freely given, due to the huge imbalance in the negotiating powers of the data controller (employer) and the data subject (employee).
The two potential alternatives most talked-about in the wake of the Schrem judgment are the so-called binding corporate rules (BCRs) and standard contractual clauses (SCCs).
- BCRs are codes of practice adopted internally by multinational corporations. Their purpose is to allow a transfer of personal data from the European Economic Area (EEA) (E.U. Member States, Iceland, Liechtenstein, and Norway) to the affiliates located elsewhere. For BCRs to be effective, the national DPAs of all EEA countries in which the corporation is present must approve of the rules, which they will do if the rules provide adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of data subjects.
- SCCs are clauses in the transfer agreements between a data controller located in the E.U. and a data processor, or another data controller, typically from a country which does not ensure an adequate level of protection of personal data. The clauses must provide the adequate safeguards, similar to the BCRs. The European Commission has the authority to decide that SCCs offer sufficient safeguards, while the national DPA does not get involved, either because the national laws prevent the involvement or because the DPA in practice prefers to stay aside.
Large companies generally disfavor BCRs as a transfer mechanism, due to the time and expenses required for establishing them. The smaller companies find them “too large and complex” to implement. With regard to the specific issues dealt with in the Schrems judgment, there is a near consensus among experts that BCRs do notprovide more protection against data access by national security and law enforcement agencies than does the Safe Harbor. SCCs are similarly ineffective as a shield against surveillance of data transferred to the United States.
Reverberations in Montenegro and Serbia
The Montenegrin Data Protection Act (2008) contains a provision to the effect that transfer authorization from the Montenegrin DPA is not required when “… the data is transferred to … countries on the European Union list of countries which have an adequate level of protection of personal data” (Article 42). One of the countries present on the list maintained by the European Commission has been the United States, i.e. the Safe Harbor-certified U.S. companies. The Montenegrin DPA has not considered that its authorization was required when a Safe Harbor-certified company was the data importer. After the Schrems judgment, such cavalier approach by the DPA seems untenable.
The law in Montenegro, quite unusually for a non-E.U. member state, exempts from the obligation to obtain transfer authorization those data controllers who entered into a transfer agreement with a processor based outside the E.U., provided that such agreement contains the standard contractual clauses “accepted by the Member States of the European Union”. This provision in the Montenegrin Data Protection Act is likely to continue to be applicable to transfers to the United States, simply because the CJEU has not (yet) declared transfers to the United States on the basis of SCCs contrary to the Charter of Fundamental Rights of the European Union and the E.U. Data Protection Directive (95/46/EC).
The data protection law now in force in Serbia does not contain provisions similar to those in the Montenegrin law. However, as the Serbian DPA noted in its reaction to the Schrems judgment, in 2014 the DPA prepared and made available to the Government a Model Data Protection Act which heavily relies on the E.U. “positions and practice” concerning the issue of transfer. The relevant provision in the Model sets forth a presumption that the “countries, territories, or international organizations” from the E.U. (Commission) list of decisions on the adequacy of the protection of personal data in fact provide adequate protection. The model law is expected to be the basis for a new Serbian data protection act, to be adopted in the coming months. If the new law includes the cited provision from the Model, then even assuming that the Serbian DPA has been willing to broadly interpret “countries” to encompass the Safe Harbor-certified US companies, the Schrems judgment makes transfers to such companies without DPA’s authorization impossible.