EU COURT SAYS DATA TRANSFER PACT WITH U.S, VIOLATE PRIVACY 17 October 2015 Decision will affect about 4,500 companies that move, store personal data The Court of Justice of the European Union has annulled a European Commission decision which allowed a "safe harbour" for the transfer of personal data to the United States. The case concerned a Facebook user who objected to data transfer to the United States on the grounds that Edward Snowden had pointed up the inadequacies of the U.S. regime. Any firms relying on the safe harbour will need to find alternative grounds to justify transferring data to the United States, or cease doing so. Negotiations between the EU and the United States are already underway to devise a better regime to protect EU personal data which is held or processed in the United States. Background In 2000, the European Commission adopted Commission Decision 2000/520/EC exercising a power in art 25(6) of the Data Protection Directive (Directive 95/46/EC). This gives the Commission power to decide that a third-country regime for the protection of personal data offers "an adequate level of protection" in reference to the 1995 directive. The decision in effect created a "safe harbour" under which U.S. companies could declare their compliance with a series of Privacy Principles. Approximately 5,000 U.S. companies carry out self-certification and confirm compliance with the principles. Transfers of personal data to the relevant companies did not breach the directive. The European Court of Justice Decision Maximillian Schrems is an Austrian national who has been a user of Facebook since 2008. Facebook users in Europe are required to agree a contract with Facebook Ireland, a subsidiary of Facebook Inc which is established in the United States. Some or all of users' personal data are transferred to servers belonging to Facebook Inc, which are based in the United States. Schrems complained to the Irish Data Protection Commissioner (DPC) asking the DPC to exercise its statutory powers to prevent Facebook Ireland from sending his personal data to the United States. Schrems' contention was that "the law and practice in force in that country did not ensure adequate protection of the personal data held in its territory". Schrems referred to revelations by Edward Snowden about the activities of, among others, the National Security Agency. The DPC decided that it was not required to investigate the matters raised by Schrems because the Commission's decision had concluded that the data protection regime in the United States provided adequate protection. On this point, the court decided that the DPC could not rely on the Commission's decision but, on a challenge relating to personal data, "must be able to examine, with complete independence, whether the transfer of that data complied with the requirements laid down by the directive". The CJEU then went further and decided that the Commission's decision was itself invalid. Two reasons were used to justify the decision: The Data Protection Directive requires that, in adopting its decision, the Commission "must find, duly stating reasons, that the third country concerned in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order". The court quoted a number of its previous decisions as evidence of what level of protection was required. The court continued: "However, the Commission did not state, in Decision 2000/520, that the United States in fact "ensures" an adequate level of protection by reason of its domestic law or its international commitments". Thus, the CJEU concluded that art 1 of the decision was to be found invalid. The Commission's decision included a provision that in effect prevented national data protection authorities from investigating claims about the adequacy of the U.S. regime. As a result, art 3 was also found to be invalid. The CJEU found that arts 1 and 3 could not be separated from the remainder of the decision, meaning that the decision as a whole had to be found invalid. The CJEU's decision in 1 seems odd because the decision explicitly found that the arrangements set out in it "are considered to ensure an adequate level of protection for personal data transferred from the community to organisations established in the United States". The problem may have been that the Commission failed to state sufficient reasons for its belief, or alternatively that it failed to consider the implications of the case law to which the court referred. The implications of the CJEU decision The annulment of the decision means that firms can no longer rely on the safe harbour provisions to justify the transfer of personal data to the United States. Article 26(1) of the directive, however, sets out a number of other derogations in the directive which allow for the transfer of personal data to a third country "which does not ensure an adequate level of protection", where: the data subject has given his consent unambiguously to the proposed transfer; the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request; the transfer is necessary for the conclusion or performance of a contract made in the interest of the data subject between the controller and a third party; the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; the transfer is necessary to protect the vital interests of the data subject. the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case. Member states are required by the directive to introduce the grounds for transfer outlined above. In addition, under art 26(2), member states are permitted but not required to authorise transfers to third countries which do not ensure an adequate level of protection, "where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses". Actions for firms Firms that transfer data to the United States will need to determine whether they have adequate grounds to do so without being able to rely on the Commission's decision. In reality, many firms will include contractual terms in their relationships with customers which authorise the transfer of data in this way. Some firms — for example, collective investment schemes — may have relationships with their customers that are not based on contract. If that is the case, they will need to decide whether any of the other derogations referred to above will permit the transfer of data. Firms may wish to consider opting for binding corporate rules (BCRs) for intra-group transfers. This entails agreeing rules with one of the EU data protection authorities. Binding corporate rules are designed to allow multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside the EEA in compliance with the Data Protection Directive. A firm's BCRs must evidence adequate safeguards for protecting personal data throughout the organisation in line with the requirements of the Article 29 Working Party papers on Binding Corporate Rules. Where the transfer is to be made outside the firm's own corporate group, the firm may need to use standard contractual clauses approved by the European Commission under art 26(4) of the directive. The Commission has approved four sets of model clauses for firms to use. The details and authority for these clauses are available from the UK Information Commissioner's Office. Firms which transmit data to the United States may wish instead to keep data in the European Union. A number of firms have reportedly reconsidered the processing of European data in the United States, separating EU data from other nations' data for processing. Alternatively, U.S.-based functions working with the data might be relocated into Europe. Firms should also review vendor contracts for any data services they use and investigate whether subcontractors are themselves processing EU data in the United States. In particular, firms should look at outsourcing, data analytics, big data or cloud computing. Firms may also wish to revisit what customers are told about the firm's data protection safeguards and how and where personal data is processed. Any disclosures on the firm's website may need to be considered as part of this process. Firms should also monitor complaints levels and ensure that sufficient resources are allocated to deal with them. There may be an increase in the number of subject access requests to the firm's data protection officer. Firms will need to prepare customer-facing employees regarding the appropriate line to take with any customers who raise concerns about the safety of their personal data. Regulators have made it clear that they understand the challenge firms will face in reviewing the implications of the CJEU decision. "We recognise that it will take them some time to do this [review])", said David Smith, deputy commissioner of the UK Information Commissioner's Office. Smith referred to guidance which the ICO had issued to firms on how to transfer data and said the ICO planned to issue further guidance shortly. Discussions The CJEU decision seems to be highly political in nature, given that the Safe Harbour provisions are being re-negotiated with U.S. authorities at the moment. The effect of the judgment is potentially to restrict data flows to the United States, which may harm U.S. interests. "I see this [CJEU decision] as a confirmation of the European Commission's approach for the renegotiation of the Safe Harbour", EU Commission first vice president Frans Timmermans said in an initial statement regarding the CJEU's judgment. The European Commission's own review of the situation in 2013 concluded that, "given the weaknesses identified, the current implementation of Safe Harbour cannot be maintained ... its revocation would [however,] adversely affect the interests of member companies in the [European Union] and in the [United States]". The CJEU's analysis was not tempered by the same concern for commercial niceties. The safe harbour approach has previously attracted criticism in Germany, with the German DPA questioning the reliance it placed on self-certification. In 2010, the German regulator criticised the level of oversight by U.S. authorities and subsequently asked German firms to check, and keep evidence of, the application of certain security criteria from the third parties involved before transferring any personal data to safe harbour-certified companies or, better still, to opt for contractual arrangements rather than reliance on the safe harbour. The Commission will be meeting national DPAs to discuss the implications of the decision. The different supervisory authorities will then presumably produce guidance for both consumers and firms under their authority. Guidance from the U.S. government should also add clarity to the future of the Safe Harbour agreement, and any data transfers from Europe to the United States. Hermann Wennekers is senior regulatory intelligence expert (DACH) for Thomson Reuters Regulatory Intelligence in Hamburg. He is a senior level compliance officer with more than 20 years' compliance and audit experience.