For fifteen years companies on both sides of the Atlantic relied on Commission Decision 2000/520 (“Commission Decision”) to transfer personal data of EU citizens to USA data centres, until the Court of Justice of the European Union (CJEU) struck it down on 6th October 2015 as violating both EU Directive 95/46/EC (“data protection directive”) and the Charter of Fundamental Rights (“Charter”). The Court, in effect, declared that the USA does not provide for an “adequate level of protection” for the personal data of EU citizens as mandated under European Union law.
The CJEU received a preliminary ruling request from the High Court in Ireland on a petition by Mr. Schrems, an Austrian national, before the Irish National Supervisory Authority (“supervisory authority”), requesting that Facebook Ireland be prohibited from transferring his personal data to Facebook’s data centre in the USA (as is usual practice). The supervisory authority had initially rejected Schrems petition on the grounds that the Commission Decision, which established that USA provided “an adequate level of protection” to personal data of EU citizens, constrained it from concluding otherwise. The Commission relied on a system of self-certification and public disclosure by organisations within the USA of their intent and willingness to abide by the Safe Harbor privacy principles, as prescribed under the data protection directive.
Two sets of questions were put before the CJEU. The first concerned the powers of National Supervisory Authorities, and whether they were limited as a result of the Commission Decision on adequacy levels in the US. The Court ruled that supervisory authorities derived their powers of monitoring and supervision directly from “…primary law of the European Union…” i.e. the Charter, with an ultimate mandate to preserve the right to privacy (Art. 7 Charter) and data protection (Art. 8 Charter). Accordingly, the Court determined that a Commission Decision adopted in pursuance of the data protection directive does not foreclose the power of the supervisory authority from examining claims relating to the processing of personal data. In the same breath, the Court held that if on inspection it appears that claims relating to the violation of Art. 7 & 8 of the Charter or the principles stated in the data protection directive are plausible, the supervisory authority ought to be in a position to challenge this in the courts of the member states, which in turn ought to refer the question to the CJEU through the preliminary reference procedure.
The second question was whether the Commission Decision was valid under extant rules of EU law. The CJEU found that the system of self-certification by US companies of their declared willingness and intent to abide by the safe harbor principles could not withstand scrutiny without an effective mechanism to ensure its compliance. In this regard, the Court found the Commission Decision lacked reference to any such mechanism employed by the US to ensure an adequate level of protection. Most critically, the Court held that the safe harbor principles were to govern, albeit voluntarily, the conduct of US organizations only, with no consequent binding effect on the US public authorities. Therefore the Commission Decision left large discretion to US public authorities in allowing them to limit and contain the applicability of the Safe Harbor principles in pursuance of state objectives like national security or public interest. According to the court, the Commission Decision turns a blind eye to the fact that USA authorities had reserved their powers to store all personal data on a very “generalised basis” without allowing for the possibility of an effective remedy, a non-sequitur under EU law and a violation of the Charter.
Ultimately, the CJEU declared the Commission Decision as invalid in its entirety, which marked an end to the Safe Harbor Agreement. The Opinion has received a favorable response from privacy activists and human rights groups, especially in the light of the Court’s insistence that mass surveillance and indiscriminate sourcing of personal data constitutes a violation of the Charter rights. However, data intensive companies are left in the lurch; the invalidity of the Commission Decision means they now face 28 different national data transfer rules and authorities, each with their own bureaucratic procedures. Considering the variation in the protection of privacy rights in the EU and the USA, a new agreement on data transfer is likely to be long and arduous