Data Protection: Just How Safe is Safe Harbour?

Sharpe Pritchard

Gareth Oldale, partner and head of technology and data at Sharpe Pritchard, discusses the impact of the recent decision in Maximillian Schrems v Data Protection Commissioner, Case C‑362/14 (6 October 2015) that ruled Safe Harbour invalid.

An unencrypted memory stick left on a train. A misdirected fax containing sensitive personal data. An IT hack disclosing the names of extra-marital affair website users. For data protection law to hit the front page headlines, something usually has to go catastrophically wrong.

It is somewhat unusual, therefore, to find that the most recent data protection story to find its way into the mainstream press is the altogether more prosaic story of an Austrian law student challenging, via the Irish High Court to the Court of Justice of the European Union and back again, the validity of the entire Safe Harbour scheme and the adequacy of the US data protection regime. What is even more unusual is: he won.

A David and Goliath Story for the Digital Age

Maximillian Schrems, an Austrian citizen, is like many of his generation a user of Facebook; he has been since 2008. Mr Schrems is aware that some or all of the data provided by him to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed. Mr Schrems’ data is not alone in this scenario – indeed, this flow of data is typical for Facebook users across the EU.

Mr Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner or DPC) on the grounds that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency), the law and practice of the United States do not offer sufficient protection against surveillance by the American public authorities of the data transferred to that country.

Transfers of personal data from the EU to other territories are only permitted if “adequate” protection is provided for that data in the territory to which it is transferred. This is a long-established principle of data protection law, enshrined in Article 25(1) of the EU Data Protection Directive 1995 and also reflected in Principle 8 of the UK’s Data Protection Act 1998.

The Irish DPC rejected Mr Schrems’ complaint, in particular on the ground that in a Decision of 26 July 2000 the European Commission considered that adequate protection is provided by US undertakings which self-certify their adherence to the Safe Harbour scheme. Undeterred, on 18 June 2014, Mr Schrems took his case to the Irish High Court.

Upon hearing Mr Schrems’ case, the Irish High Court asked the Court of Justice of the European Union (CJEU) to clarify:

  • whether, in determining a complaint that a third country’s laws and practices do not contain adequate protection for data being transferred to it, a national supervising authority (such as the Irish DPC) is absolutely bound by the European Commission’s Safe Harbour Decision from July 2000; and
  • alternatively, whether the DPC may or must conduct its own investigation of the matter in light of factual developments since the Commission Decision was published.

The Court’s Decision

The response from the CJEU was swift, succinct and unequivocal.

Firstly, the CJEU held that the existence of the Commission Safe Harbour Decision does not prevent a national supervisory authority (such as the Irish DPC) from investigating a complaint alleging that a third country does not ensure an adequate level of data protection for data transferred to it, nor does the Decision prevent such an authority from suspending the transfer of that data. Even if the Commission has adopted a Decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the EU Directive.

The Court then went on to consider the validity of the Safe Harbour self-certification scheme. It held that companies like Facebook can comply with Safe Harbour and yet at the same time also allow US authorities access to personal data they hold in order to comply with US law. As the rights of US authorities include the right to access vast stores of personal data without any differentiation, limitation or exception according to the objective pursued, this does not satisfy the requirements of the EU Data Protection Directive. For this reason, the Court declared that the Safe Harbour Decision was invalid.

Advocate General Bot (who was responsible for proposing to the CJEU, in complete independence, a legal solution to the questions which had been referred to the CJEU by the Irish High Court) went even further, suggesting that the Commission should have suspended or adapted its Safe Harbour Decision following the Snowden revelations. Such failure by the Commission to act accordingly, in AG Bot’s view, is an additional ground on which to declare the Safe Harbour Decision invalid.

AG Bot delivered his Opinion on 23 September 2015. Whilst the CJEU is not bound to follow the Advocate General’s advisory Opinion, on this occasion it did, handing down its judgment on 6 October 2015. The judgment published, Safe Harbour was formally declared invalid with immediate effect.

What Happened Next?

In the short time since the judgment was published on 6 October, there has been an unquestionable frenzy across Europe to consider the impact of the Schrems judgment.

The European Commission – no doubt bruised by a thinly veiled mauling at the hands of AG Bot and the CJEU – has sprung into action, accelerating its review of a replacement for Safe Harbour (which, the Commission would argue, was already under way).

The other EU institutions have rounded on the Commission too, with the European Parliament’s Civil Liberties Committee Chair Claude Moraes stating that the decision by the CJEU “declaring the invalidity of the Safe Harbour agreement, forces the European Commission to act…and come up with an immediate alternative to Safe Harbour. The Commission has been in negotiations with the US for over a year on improving the framework but we have still received no update on these discussions”.

In the UK, the Information Commissioner, Sir Christopher Graham, has met with Baroness Neville-Rolfe (the government Minister with responsibility for the ICO) to discuss the impact of the Schrems judgment. He has also joined his fellow data protection commissioners from across the EU at a meeting of the Article 29 Data Protection Working Party, to consider how to respond to the challenges presented by an invalid Safe Harbour scheme.

In a statement published by the Article 29 Working Party, the data protection commissioners have confirmed that “If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions”. The clock, therefore, certainly seems to be ticking.

But What Does it Actually All Mean?

What the Schrems judgment does not mean is that any data processing arrangement which involves the transfer of personal data to the USA is necessarily unlawful or in breach of the European Data Protection Directive and the UK’s Data Protection Act. However, public authorities would be well advised to review their data processing arrangements with any companies based in the USA, and to review the data processing and security clauses in their standard contracts.

There are, of course, other ways in which data controllers can determine the adequacy of protection afforded to data subjects in the USA. For example, the data protection Binding Corporate Rules and the European Commission’s Standard Contractual Clauses can still be used – a point confirmed in the Article 29 Working Party’s statement referred to above.

What the CJEU’s ruling does mean is that data controllers – public bodies included – will need to pay even closer attention to the data processing and transfer models proposed by suppliers when procuring new contracts. Relying on a US company’s Safe Harbour self-certification will clearly no longer be sufficient to discharge a data controller’s adequacy obligation. Therefore, a more thorough and potentially intrusive examination of the data processing activities, procedures and territorial strategies of data processors will be necessary.

Those authorities with contracts already in place which rely on Safe Harbour would be wise to spend some time with their US suppliers, to understand in more detail what risk is presented in respect of the personal data which is processed in or transferred to America. Privacy Impact Assessments may be helpful in certain scenarios. In other cases, it is likely that some contracts will require variations in order to fully satisfy the public body’s obligations as a data controller. Those contracts which have been in place for a long time, which involve the processing of sensitive personal data or which deal with the processing of vast volumes of personal data of any nature may be the most likely to require special attention.

With the imminent arrival of the EU-wide General Data Protection Regulation, data protection officers within public authorities are already finding themselves busier than ever before. The judgment in the Schrems case may just mean that the workload is set to increase yet further.

For more information please contact Gareth Oldale on 020 7061 5914 or email