– Executive Summary –

The Safe Harbour framework, that has been used for cross-border data transfers between the European Union (EU) and United States (US) for 15 years, has recently been invalidated by the Court of Justice of the European Union (CJEU) judgment dated 6 October 2015. The case, brought by Max Schrems, an Austrian law student and privacy campaigner, was about the storage and transfer of data of European citizens by US companies such as Facebook. In its pivotal judgment, the CJEU has offered striking insight by declaring the current Safe Harbour regime invalid on the ground that aspects of it are not compatible with the principles of the Charter of Fundamental Rights of the European Union and advocating for substantial improvements concerning the data protection policy of the EU. This article aims to provide an assessment on the current and prospective situations regarding data protection in the EU, by way of analysing the very recent CJEU judgment which will evidently have serious repercussions on the companies that used to work under the Safe Harbour framework, while also serving as a guidance for the EU Commission’s on-going efforts regarding the EU Data Protection Reform, which is expected to ensure stronger protection of personal data through a coordinated European approach.

Legal Framework

Data Protection Directive

Data Protection Directive3 is the main legal tool regarding the processing of personal date: its aim is to balance on the one hand the right to privacy and on the other the free flow of data in the Internal Market; part of the protection provided for by the Directive regards the principles of data transfers from the EU to third countries. Article 25 of the Data Protection Directive provides that data transfers from Member States for the purpose of processing can only be allowed if the third country ensures an ‘’adequate’’ level of protection, which can be assessed by taking into account the nature of the data, the purpose and duration of the processing operations, the country of origin, the country of destination and the rules of law complied with in the third country. If, following such assessment, the Commission determines that the third country does not ensure an adequate level of protection the Member States shall prevent the transfer of data to such country.

In addition to this principle, Article 26 of the Data Protection Directive provides for a number of derogations from Article 25, in the case of which, the Member States may allow data transfers even if the third country does not ensure an adequate level of protection. These derogations have been stated as (a) the consent of the data subject, (b) the necessity of the transfer for the performance of a contract between the data subject and the controller, (c) the necessity of the transfer for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party, (d) the necessity or legal requirement of the transfer on important public interest grounds, (e) the necessity of the transfer to protect the vital interests of the data subject, and (f) transfers made from a public register.

Moreover, Article 28 of the Data Protection Directive provides that every Member State must designate at least one public authority responsible for monitoring the application of the provisions under this Directive. It is especially significant that these supervisory authorities, in practice referred to as Data Protection Authorities (DPAs), to act completely independent while exercising their powers of investigation, intervention and engaging in legal proceedings.

Commission Decision 2000/520

Commission Decision 2000/5204 has also been an important framework that regulates data transfers between the EU and the US companies, as it puts into effect the Safe Harbour Privacy Principles provided under Annex I thereto, implemented according to the frequently asked questions (the ‘FAQs’) issued by the US Department of Commerce provided under Annex II.

The Safe Harbour Principles that were developed to facilitate trade between the EU and the US, reiterate the necessity for an adequate level of protection provided by the third country regarding data transfers and in this framework, they are deemed to qualify as a ‘presumption of adequacy’. The fairly straightforward procedure for obtaining the benefits of such a safe harbour regime entails a voluntary self-certification of the US companies to the US Department of Commerce by providing a letter containing the relevant information stated under the FAQs.

Charter of Fundamental Rights of the European Union
Charter of Fundamental Rights of the European Union (2000/C 364/01) (the Charter), which is an instrument of primary law of the EU, also needs to be taken into account for the assessment of data protection policies. Within this framework, Article 7 of the Charter guarantees the fundamental right to respect for private life, and Article 8 thereof guarantees the fundamental right to the protection of personal data, both of which are closely related to the case at hand. Thus, the provisions of the Data Protection Directive must be interpreted with regards to the aforementioned fundamental rights guaranteed by the Charter that sets forth the unalienable pillars of EU law.
In addition, Article 47 of the Charter that guarantees the fundamental right to an effective remedy and to a fair trial is also a very significant principle of EU law, which is closely linked to the case in question. Pursuant to the case-law of the CJEU, the effective implementation of this principle is especially important for the existence of Rule of Law.

Practical Background Regarding the Data Protection Policy of the EU

The Data Protection Directive was established in 1995 in order to provide, among others, a regulatory framework to ensure the protection of cross-border personal data transfers from the EU Member States to non-EU third countries. In the following years, based on the needs of different sectors, this Data Protection Directive has been followed by other legal instruments, providing specific rules for different means of data protection. Moreover, in 2000, the European Commission set forth the Decision 2000/520, in order to streamline the procedure of transfer and processing of data of EU citizens by US companies. As explained above, the US companies that complied with these Safe Harbour Principles annexed to the Commission Decision 2000/520 were regarded as having opted-in for providing adequate protection for their data transfer and processing operations.

However, as a result of the growing need for further amendments in the legal framework on data protection, in order to cover the current needs of the market, in 2009, the European Commission started a review process. This process included public consultations, negotiations with the stakeholders and communications with other institutions, namely with the European Parliament, in order to adopt a revised legal instrument that eradicates the growing concern for the protection of personal data. Moreover, in order to unify the EU data protection legislation, the European Commission, in 2012, proposed a draft General Data Protection Regulation, which would be directly applicable in all the Member States once it is adopted. This Regulation is aimed to improve the existing Data Protection Directive in the currently needed aspects of the market such as governing data protection with regards to new technological improvements, social networks and cloud computing possibilities.

While the discussions regarding the EU data protection legislation were going on, following the Edward Snowden revelations in 2013 regarding the mass surveillance policies of the US and especially data sharing between the US companies and the National Security Authority (NSA), the concerns regarding personal data protection were highlighted. As a result, the European Commission started to identify the shortcomings of the Safe Harbour Privacy Principles, in order to create more robust safeguards. Within this scope, the European Commission has been carrying out negotiations with the US authorities to make the necessary reforms. Moreover, the European Commission has also been working closely with the DPAs of the Member States in order to create a coordinated European approach to the issue. The Article 29 Working Party on the Protection of the Individuals with regard to the Processing of Personal Data which has been established under Article 29 of the Data Protection Directive and which composes of representatives from the DPAs of the Member State, the European Data Protection Supervisor and the European Commission also works on this issue by issuing recommendations, opinions and working documents in order to shed light to the proposed revisions.

The Judgment of the CJEU on Case C-362/14

Background of the Case

Within the framework of the increased concern for data protection, in 2013, Max Schrems, an Austrian law student and privacy activist, made a complaint against Facebook Ireland, since Facebook Inc.’s European headquarters were located in Dublin. In his complaint, Max Schrems asked the Irish Data Protection Commissioner to prohibit Facebook Ireland from transferring the personal data on his Facebook account to the US, claiming that the US did not ensure adequate protection of personal data, by referring to the recent revelations made by Edward Snowden on the mass surveillance operations of the NSA. However the Commissioner rejected this complaint as unfounded, on the grounds that the adequacy of data protection in the US had to be assessed in light of Commission Decision 2000/520 and that there were no evidence that the NSA had accessed Max Schrems’s data.

In order to challenge this decision, Max Schrems brought the case before the High Court, which, by taking into account the fundamental principles of the Charter, stated that the undifferentiated and large-scale accessing of personal data by the US companies could indeed constitute an over-reach of such companies. In this way, the High Court indicated that, although Max Schrems did not specifically touch upon it in his complaint, the case at hand in reality concerns the legality of the Safe Harbour Privacy Principles established by Commission Decision 2000/520. Therefore, it referred two questions to the CJEU for a preliminary ruling, in essence inquiring whether a decision adopted as per Article 25(6) of the Data Protection Directive, such as Commission Decision 2000/520 in this case, prevents the DPA of a Member State from examining a complaint of a person with regards to the transfer and processing of his personal data, when such person claims that the third country does not provide adequate level of protection.

On 23 September 2015, Advocate General Yves Bot delivered his Opinion on this case, arguing that the Safe Harbour Agreement was invalid, due to the fact that, a country that carries out such large-scale and indiscriminate surveillance over personal data, without creating the means for effective judicial protection to the concerned citizens, cannot be regarded as providing an adequate level of protection. Moreover, he further argued that decisions of the European Commission, such as the Commission Decision 2000/520, couldn’t prevent national supervisory authorities from carrying out their investigative powers independently and examining every complaint individually.

CJEU’s answers to the referred questions

The CJEU, in its widely discussed judgment delivered on 6 October 2015, which followed Advocate General Bot’s Opinion on most of the accounts and thus invalidated Commission Decision 2000/520, examined the issue in two steps, the first one being the procedural assessment of DPA’s powers regarding data protection, and the second one being the substantive ruling on the validity of Commission Decision 2000/520. Both of these steps will be separately discussed below in order to shed light to the assessment of the CJEU on this controversial issue.

Balancing the powers of the DPAs and the scope of Commission decisions adopted as per Article 25(6) of the Data Protection Directive

In order to assess the outcome of this duality, the CJEU first emphasized that the provisions of the Data Protection Directive should be interpreted in light of the fundamental rights and freedoms guaranteed under the Charter, such as the right to respect for private life and the right to the protection of personal data as explained above, since these constitute the primary law of the EU. Moreover, as it has been stated under Article 28 of the Data Protection Directive, the DPAs have the power to monitor and investigate the compliance of the transfer of personal data with the provisions of the Data Protection Directive in a completely independent manner. According to the CJEU, the DPAs can, only in that way, ensure a fair balance between protecting fundamental rights and the free movement of personal data.

Within this scope, and in line with the Advocate General’s Opinion, the CJEU, in paragraph 53 of its judgment, underlined that a Commission decision adopted pursuant to Article 25(6) of the Data Protection Directive cannot eliminate or reduce the powers of the DPAs, since the contrary would deny the complainant his right to effective judicial remedy, which is also a fundamental right provided by the Charter.

Lastly, on the contrary to the Advocate General’s Opinion in which he had stated that the DPAs could decide on the invalidity of a Commission decision, the CJEU clarified this issue in paragraphs 61 and 62 of its judgment by providing that although the DPAs are entitled to consider the validity of a Commission decision, they do not have the power to declare such decision invalid. The power of declaring a Commission decision illegal or invalid is exclusively bestowed upon the CJEU, in order to eliminate legal fragmentation and ensure the uniform application of EU law.

Thus, for the first point of assessment, the CJEU declared that even if there is an existing Commission decision, such as Decision 2000/520 finding that a third country ensures adequate level of protection for data transfers, the DPAs are nonetheless entitled to examine each individual complaint on a case-by-case basis.

Legality of Commission Decision 2000/520 and the Safe Harbour Privacy Principles

In line with the statements of the referring court, the CJEU also indicated in its judgment that it is essential to assess the validity of Commission Decision 2000/520, which forms the legal basis of the issue at hand. Pursuant to Article 25 of the Data Protection Directive, the main requirement entailing security of data transfer and processing operations is ensuring an adequate level of protection. The Advocate General, in paragraph 142 of his Opinion, shed light to the meaning and scope of the term ‘’adequate’’, and stated that it should not be interpreted as amounting to merely a satisfactory level of protection, but rather an appropriate and high level of protection of fundamental rights. Parallel to that, the CJEU, in paragraph 73 of its judgment, also emphasized that such an adequate level of protection expected from a third country, such as US in this case, should be equivalent to the protection guaranteed within the EU.

Within the scope of its assessment regarding the legality of Commission Decision 2000/520, the CJEU mainly focused on Article 1 and Article 3 of the Decision thereto. The two Articles, both of which have been declared invalid by the CJEU will be discussed separately below.

Invalidity of Article 1 of Commission Decision 2000/520

Under Article 1, the Commission states that in accordance with the two annexes of Commission Decision 2000/520, which are the Safe Harbour Privacy Principles and the FAQs respectively, the US data processing companies ensure an adequate level of protection for personal data transfers from the EU. However, since, as mentioned above, compliance to the Safe Harbour Privacy Principles only entails the US companies to voluntarily self-certify, the CJEU stated under paragraph 82 of its judgment that the reliability of the presumption of adequacy that these documents entail would depend solely on the existence of an effective supervisory system.

Moreover, as per the fourth paragraph of the Safe Harbour Privacy Principles, it is stated that compliance with the principles thereto may be ‘’limited (a) to the extent necessary to meet national security, public interest, or law enforcement requirements, or (b) by statute, government regulation, or case-law that create conflicting obligations or explicit authorizations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization, or (c) if the effect of the Directive or the Member State law is to allow exceptions or derogations.’’ The CJEU, in its judgment, regarded such derogation as being general and enabling interference with the fundamental rights of EU citizens. The CJEU also pointed out that Commission Decision 2000/520 does not foresee any limits to such interferences, which constitutes a very open-ended act. According to the case-law of the CJEU, the EU legislation that contains such limitations to fundamental rights prescribed under the Charter, must create a clear and precise framework for the application of such limitation, and only apply it when it is strictly necessary to do so. However in this case, as the CJEU rightly pointed out, the generalised and undifferentiated nature of these limitations would compromise the essence of the right to respect for private life and right to protection of personal data guaranteed by the Charter.

In addition to this, the CJEU stated that pursuant to Article 47 of the Charter, right to an effective judicial remedy before an independent tribunal has been emphasized as an inherent principle of EU law. Despite this, Commission Decision 2000/520 does not contain any provision regarding effective judicial remedy against the interference explained above. As the Advocate General has also pointed out in paragraphs 204 and 205 of his Opinion, the private dispute resolution mechanisms and the Federal Trade Commission’s jurisdiction stated under the Safe Harbour Privacy Principles only covers commercial disputes, thus it does not relate to the gathering and assessment of personal data for non-commercial purposes.

Therefore, by taking into account that Article 1 of Commission Decision 2000/520 does not entail any legally justified and proportional criteria that complies with the adequate protection requirement laid down in Article 25 of the Data Protection Directive, the CJEU declared Article 1 invalid.

Invalidity of Article 3 of Commission Decision 2000/520

Article 3 of Commission Decision 2000/520 envisages the powers of the DPAs of Member States, regarding the assessment of the adequate level of protection of US companies, such as the power to suspend data flows under certain circumstances. However, the CJEU stated in paragraph 101 of its judgment that although that provision ‘’is without prejudice to the powers of those authorities to take action to ensure compliance with national provisions adopted pursuant to the Data Protection Directive, it excludes, on the other hand, the possibility of them taking action to ensure compliance with Article 25 of the Data Protection Directive’’.

Within this scope, as the Commission did not have the jurisdiction to restrict the powers of the DPAs, the CJEU declared that the Commission exceeded the boundaries of its power under Article 25(6) of the Data Protection Directive, and thus declared Article 3 thereto invalid. Taking into account the invalidity of both Article 1 and Article 3 of Commission Decision 2000/520, and the fact that they are inseparable from the rest of the decision and its annexes, the CJEU declared Decision 2000/520 invalid as a whole.

Aftermath of the Judgment on Case C-362/14

Initial responses of the stakeholders

This highly controversial judgment of the CJEU, when considered together with the CJEU judgment5 in 2014 by which the Data Retention Directive6 was invalidated for breaching the Charter provisions by allowing mass collection of meta data, has created major discussions in the market. As there are nearly 5,000 US data processing companies enjoying the benefits of the Safe Harbour Privacy Principles, it is evident that this judgment will have an impact on a very large scale.

Although the EU has generally embraced the declaration of invalidity of Commission Decision 2000/520 on the ground that the US did not provide adequate data protection, the initial reactions of the US data processing companies and related authorities were on the contrary. They, by defending the Safe Harbour Privacy Principles, have accused the CJEU for acting hastily without taking into account the practical consequences of its judgment and eliminating a system, which has been in effect for fifteen years, even though Max Schrems could not provide any concrete evidence of abuse in this particular case. The fact that the CJEU has cherished the protection of fundamental rights above the market integration and profitable cross-border agreements has created a fear of uncertainty among the concerned US companies.

On the other hand, the DPAs will also be affected by this judgment, since firstly, they would have a dramatic increase in their workload as they will have to carry out substantive assessment for each complaint, and secondly, they would be in need of a high level legal instrument that envisages a harmonized EU law perspective regarding data protection, rather than applying a fragmented approach depending on the policies of each Member State.

Moreover, the fact that the judgment is effective immediately and the CJEU did not offer any grace period or guidance for the companies to amend their policies has also created a complicated situation for the stakeholders. Since compliance with the Safe Harbour Privacy Principles will no longer enable the US companies to benefit from the presumption of adequacy of protection, they will have to resort to new methods to ensure such protection. On a positive note, data processing companies can rely on alternative compliance methods, which will be described below.

Alternative methods for legitimizing data transfers

The imminent practical impact of the judgment is that the US data processing companies which do not want to seize their operations of collecting EU data, will have to restructure their data protection policies and provide safeguards by using alternative methods.

One option to legitimize data transfers would be to obtain consent from the data subject. There are two conditions of such consent: it has to be explicit and freely given. These conditions may cause problems in some cases, since for example, in the case of employees, their consent are not regarded as evidence in many Member States. This is due to the fact that employees may be coerced by their employers, and thus it is presumed that they don’t have free choice. Moreover, as people generally tend to skip and disregard ‘terms and conditions’ especially in their online transactions, obtaining consent in such cases would not be a very reliable and legitimate method of proof. Furthermore, the issue of consent also bears other questions of interpretation such as whether a waiver of the right to privacy can or should be restricted in specific situations. Thus, the companies that will be using this method should make self-assessments regarding the different issues involving the consent mechanism in order to ensure legitimate protection for data transfers.

Another possible method that can be used for data transfers would be executing Data Transfer Agreements between the EU data exporter and the US data processing company. Such Data Transfer Agreements would contain Model Clauses regulated by the European Commission, which would create a unified approach to the data protection issue. These Model Clauses would be easily executable and straightforward to draft since the general template is made ready by the European Commission. However, as it is a fixed framework, it does not allow much flexibility to the parties to adopt different provisions. Moreover, if a need for subcontracting arises for other data processors, new clauses have to be executed with each and every one of these subcontractors.

A third option would be implementing Binding Corporate Rules (BCRs), which would govern the data processing procedure as a whole, for intra-group data transfers. With this method, a global data privacy compliance structure in line with EU data protection legislation would be created, which, in addition, would also include standards for security to guarantee sufficient protection according to the nature and scope of the data transfer. Although the entities that wish to implement a generalized, wide-scale solution for their group of companies may opt for this method, it should be borne in mind that this procedure would be lengthy and more expensive than the other ones due to its wide coverage. Moreover, some EU countries such as Hungary do not recognize the BCRs, so the companies that wish to implement this method should take into account the national legislation of the EU Member States in their group with which they wish to execute the rules.

Roadmap for the EU legislation revisions on stricter data protection

While the case at hand will now go back to the Irish supervisory authority so that it can examine Max Schrems’ complaint and make a decision regarding the suspension of data transfers from Facebook’s Irish subsidiary to the US, the European Commission has already started working on introducing improvements to the EU data protection legislation, in order to finalize the amendments by the end of this year and to minimize the negative impacts of this judgment on the market. By setting their priorities as the protection of personal data transfers, continuation of cross-border data flows and the uniform application of EU law, the European Commission is currently carrying out a new set of discussions with the US regarding the amendment of the current framework.

With the invalidation of Commission Decision 2000/520 and thus the Safe Harbour Privacy Principles, the main focus will now be on the Data Protection Directive and especially the draft General Data Protection Regulation that is currently being discussed. According to the initial contents of the draft Data Protection Regulation, the final round of negotiations of which will be deliberated in December 2015, it appears to be much more comprehensive than the previous data protection legislation. In this way, it will include harmonized security provisions that will serve the specific needs of the current market conditions and improve the existing adequate protection concept. Moreover, with regards to alternative methods of data protection, although the Data Protection Directive only mentioned the Model Clauses regulated by the European Commission, the draft Data Protection Regulation also includes the BCR mechanism, which would provide the choice of creating worldwide protection to the data processing companies.

Furthermore, the EU and US have also been discussing about an Umbrella Agreement to complement the data protection legislation referred to above. However this Umbrella Agreement would be different from the other data protection legislation, since, firstly, it would only regulate data exchanges between the EU and US authorities but not govern the data exchanges between EU and US companies which are transferred to US authorities. Thus, it is limited in scope, and in this way, it is criticized for not providing a more generalized solution. Secondly, it does not cover data protection or security matters, but provides a framework for law enforcement cooperation between the EU and US. One of the most important implications of this Umbrella Agreement is that these new enforcement standards are hoped to improve the judicial redress rights of the EU citizens in the US. In this way, although currently the EU citizens are not able to obtain redress from US courts in case of an unlawful processing of their data, whereas US citizens are able to ask for redress in the EU, the Umbrella Agreement would provide equal treatment to EU citizens, as they will be allowed to take their cases before the US courts in case of data privacy infringements.

Case Law