EU-US Safe Harbour agreement declared invalid

Accordingly, this article also proposes to forecast the potential implications that the recent decision of the CJEU may have on the Maltese legal order.

1. Legal Background

The legal background to this ruling relates to the correct interpretation of Article 25(6) and Article 28 of the European Union (EU) Directive 95/46/EC concerning the protection of individuals with regards to the processing of their personal data, and on the free movement of such data (the Data Protection Directive).

In effect, the Data Protection Directive establishes that the transfer of personal data to a non-EU country (such as the U.S.), for the purposes of processing, shall only be lawful if that country ensures an ‘adequate level of protection’ for the private lives, basic freedoms and rights of individuals. Therefore, the transfer of such data to countries which fails to meet the EU ‘adequacy’ standard is absolutely prohibited under the terms of the Directive.

Nevertheless, Article 25(6) prescribes that the Commission may concluded that an ‘adequate level of [such] protection’ exists on the basis of the domestic of the non-EU country, or by reason of the international commitments that it has entered into. In tandem, Article 28 sets out the powers of investigation and intervention of the national public authorities responsible for dealing with complaints lodged by individuals in relation to the processing of their personal data (hereafter Data Protection authorities).

Accordingly, the CJEU was called upon to interpret the meaning of the aforementioned articles in light of Article 7 (‘respect for private and family life’), Article 8 (‘protection of personal data’) and Article 47 (‘right to an effective remedy and fair trial’) of the Charter of Fundamental Rights of the European Union (‘Charter’).

The significance of the resultant interpretation for Article 25(6) was also interlinked with the validity of the EU Commission Decision 2000/520/EC (Decision 2000/520/EC). In this regard, that Decision constitutes an agreement reached between the EU Commission and the U.S. on the lawful transfer and processing of personal data of EU residents by U.S. Organisations. As per the agreement, a presumption subsists that U.S. Organisations ensure an ‘adequate level of protection’ if they certify that they comply with the principles set out in the EU-U.S. Safe Harbour framework. In effect, compliance with the preceding framework enables U.S. Organisations to transfer personal data in a manner which is deemed to be consistent with the Data Protection Directive.

Hence, the judicial interpretation of Article 25(6) was expected to affect whether the Commission could legitimately establish a presumption in favour of the protection afforded to personal data by U.S. Organisations.

2. Questions Referred

The proceedings in question arose from a dispute between Mr. Schrems (‘the claimant’), an Austrian national residing in Austria, and the Irish Data Protection Commissioner (‘the Commissioner’). In the main, the claimant objected to the Commissioner’s refusal to use the statutory powers conferred upon him under Article 28 of the Data Protection Directive.

Specifically, the claimant had requested that the Commissioner investigate and, if well-founded, prohibit the transfer of his personal data by Facebook, Ireland to the servers of its parent company Facebook Inc. This request was lodged on the basis that Facebook Inc., the recipient of the claimant’s data, was registered and located in the U.S. Furthermore, the transfer of his personal data to the U.S. was to be carried out pursuant to the standard contract which a facebook user, being resident in an EU Member State, concludes with Facebook, Ireland at the time of registration.

The claimant argued that the prevailing law and practice of the U.S. failed to ensure ‘adequate protection’ for the personal data retained within its territory. In fact, the claimant maintained that the surveillance activities engaged by the relevant U.S. public authorities were at a complete variance to the fundamental right to privacy and protection of personal data which are guaranteed under the Charter. The claimant also contended that his claims were substantiated due to the revelations made by Edward Snowden on the activities of the United States intelligence agencies (particularly those of the National Security Agency).

Nevertheless, the Commissioner held that he was not obliged to investigate the matter, and rejected the complaint as being unfounded. Pertinently, the Commissioner argued that the claimant had failed to establish, by means of evidence, that this personal was indeed accessed by the NSA. Furthermore, the Commissioner also emphasised that questions of adequacy of data protection in the U.S. were to be determined in accordance with Decision 2000/520. Pursuant to the contents of this Decision, the Commissioner held that it was not incumbent upon him to investigate the adequacy of the data protection afforded by Facebook Inc.

Subsequently, the claimant instituted proceedings before the High Court of Ireland which, after considering the evidenced adduced by the parties, decided to stay proceedings and refer the following questions to the CJEU:

  • Whether, in the course of determining a complaint lodged with an independent officer vested with the function who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in Decision 2000/520 having regard to Article 7, Article 8 and Article 47 of [the Charter, the provisions of Article 25(6) of Directive 95/46 notwithstanding?
  • Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published?’

3. CJEU Decision

A. The powers of the national supervisory authorities, within the meaning of Article 28 of Directive 95/46, when the Commission has adopted a decision pursuant to Article 25(6) of that directive.

The Court upheld that the Commission may validly adopt a decision under Article 25(6), whereby it establishes that a non-EU country ensures an adequate level of data protection. In the event of such a decision, EU Member States shall be required to undertake the necessary measures compliance at a national level.

Furthermore, EU Member States are also precluded from adopting national measures which are contrary to such a decision, at least until such time that it is declared invalid by the EU judicial organ. By way of illustration, the Court specified that independent supervisory authorities (namely, Data Protection authorities) would be unable to conclude that a non-EU country, which is a covered by a Commission decision, fails to ensure an adequate level of data protection.

That said; the Court elaborated that a decision taken by the Commission under Article 25(6) (e.g. Decision 2000/520/EC) cannot serve to prevent individuals from lodging complaints in relation to the transfer of their personal data to the country so covered by that decision. Notwithstanding the presence of a Commission decision, the Data Protection authorities retain their sphere of competence to oversee and monitor transfers of personal data to the countries to which that decision applies. In this regard, the Court emphasised that the foregoing authorities:

‘when hearing a claim lodged by a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him, must be able to examine, with complete independence, whether the transfer of that data complies with the requirements laid down by the directive.’

Thus, the relevant authorities remain competent to examine claims concerning the protection of personal data. The fulfillment of these functions entails an investigation into whether the protection afforded in the non-EU country is compatible with the protection of the privacy and fundamental rights and freedoms of individuals. That capacity, however, shall not entitle such authorities to declare that a Community decision is invalid.

Accordingly, the Court specified that Data Protection authorities must examine and report on any claims lodged with regards to the transfer (or potential transfer) of the individual’s personal data to a non-EU country covered by a Commission decision under Article 25(6). In so doing, the abovementioned authorities are duly bound to investigate, with all due diligence, any arguments to the effect that the relevant decision is incompatible with the protection of the privacy and fundamental rights and freedoms of individuals.

In the event that the authority rejects the complaint as being unfounded, then the complainant shall be entitled to have access to judicial remedies enabling him to challenge such a decision before the national courts. Those courts shall then be required to stay proceedings, and submit a reference to the CJEU. Where

“they consider that one or more grounds for invalidity put forward by the parties or, as the case may be, raised by them of their own motion are well founded.”

On the other hand, if the complaint and objections contained therein are upheld as being well-founded, then that authority shall be entitled to engage in legal proceedings. In this respect, the national legislature must have in place the necessary legal remedies so as to enable that authority to put-forward to the national court those objections which he considers to be well-founded. If the national court shares the same doubts on the validity of the Commission decision, then a reference to that effect should be submitted to the CJEU.

In closing, a Commission decision adopted under Article 25(6) (e.g. Decision 2000/520) shall not deprive the Data Protection authorities of the statutory powers conferred upon them by virtue of Article 28 of the same Directive. In this manner, those authorities are to examine any claims which contend that the applicable law and practices of the non-EU country subject to that decision fail to ensure an adequate level of data protection.

B. The validity of Decision 2000/520

Herein, the Court addressed the interpretation to be given to the term ‘adequate level of protection’ under Article 25(6) of the Directive. In this respect, the Court surmised that the article in question imposed the same express obligation contained in Article 8(1) of the Charter on the protection of personal data. As a result, the Court held that the purpose of the article was to ensure that:

‘the high level of that protection continues where personal data is transferred to a third country.’

Moreover, the Court established that an ‘adequate level of protection’ necessitated an equivalent level of protection for fundamental rights and freedoms by the non-EU country to that guaranteed within the EU legal order (specifically, by virtue of the Data Protection Directive, read in light of the Charter). In this respect, a finding of such protection may be based on the domestic law or international commitments in the non-EU country.

Consequently, the CJEU proceeded to examine the substantive provisions of Decision 2000/520/EC, and their compatibility with the fundamental rights and freedoms guaranteed by the EU legal order. In so doing, the Court sought to establish a definitive ruling on the validity of that Decision.

(i) Article 1 of Decision 2000/520/EC

In terms of Article 1, the Court noted that the underlying mechanism for establishing compliance with the ‘safe harbour principles’ was based on a system of self-certification. Hence, U.S. Organisations which received personal data from the European Union were bound to adhere to the principles and FAQs annexed to the decision, both of which were issued by the United States Department of Commerce. In this regard, the Court observed that the reliability of a self-certification was dependent on the effectiveness of the detection and supervision mechanisms instituted by that country.

Furthermore, the Court noted that the obligations stemming from these self-harbour principles were only applicable to the self-certified U.S. Organisations receiving personal data from the EU. As a result, U.S. public authorities were not constrained by the requirement of complying with such principles when transferring and processing data from the EU. The Court also observed that the agreement underlying Decision 2000/520/EC was concluded without any sufficient findings regarding the measures by which the U.S. ensures an adequate level of data protection (referring to either its domestic law or international commitments).

A further consideration also related to the primacy of ‘national security, public interest, or law enforcement requirements’ emanating from U.S. Law over these safe harbour principles. Accordingly, self-certified U.S. Organisations receiving personal data from the EU were bound to disregard such principles in the event that a conflict arose with the abovementioned requirements. Therefore, the Court was of the opinion that Decision 2000/520/EC enabled:

‘Interference, founded on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States.’

An additional deficiency to Decision 2000/520/EC pertained to the absence of findings onthe rules adopted by the U.S. so as to limit any interference with the fundamental rights of those persons whose personal is transferred from EU. As such, the relevance of this observation was particularly pronounced given the fact that U.S. Organisations were authorised to engage in any such interference when pursuing legitimate objectives (such as national security). In view of these concerns, Decision 2000/520/EC also crucially failed to provide any references to the existence of effective legal protection in the U.S. against interference of the abovementioned kind.

In reference to settled case-law, the CJEU then remarked that the principles underpinning Article 7 and Article 8 of the Charter required clear and precise rules in relation to the scope and application of a State measure for the transfer of personal data. Moreover, the imposition of minimum safeguards was also essential so as to ensure that data subjects are effectively protected against the risk of abuse, unlawful access as well as the use of their personal data. In this regard, the right to respect for private life, guaranteed by Article 7, dictates that any derogations and limitations to the protection of personal data may only apply in so far as they are strictly necessary.

In conclusion, the CJEU reiterated that a decision undertaken through Article 25(6) required the Commission to establish that the non-EU country affords a level of protection for fundamental rights which is essentially equivalent to that guaranteed in the EU legal order. Furthermore, the Commission was equally bound to duly state the reasons which led to the above finding. While a level of such protection was held to be present in the U.S., the means by which it ensured an adequate level of protection were not outlined in Commission Decision 2000/520/EC.

Consequently, the CJEU declared Article 1 of the Decision 2000/520/EC to be in breach of Article 25(6) of the Directive, as interpreted in light of the principles emanating from the Charter. Moreover, the CJEU held that Article 1 could be struck down without the need to examine the content of the safe harbour principles annexed to that decision.

(ii) Article 3 of Decision 2000/520/EC

Primarily, the CJEU emphasised that a correct interpretation of Article 28 of the Directive, in line with Article 8 of the Charter, obliged Data Protection authorities to utilise their powers of investigation when so requested. Correspondingly, the foregoing authorities must also be unencumbered by any EU or national measures when carrying out the above functions.

Thus, the CJEU pronounced that this authority must be able to examine, with complete independence, any claim concerning the protection of a person’s rights and freedoms in relation to the processing of his personal data. The obligations underlying that provision are further increased when the compatibility of a Commission decision with fundamental rights have been disputed.

The CJEU then noted that Article 3(1) sets out restrictive conditions pursuant to which a Data Protection authority could suspend data flows to self-certified U.S. Organisations. As a result, the Court surmised that the contents of this provision established a high threshold for intervention by these authorities in relation to data transfers to the U.S. Furthermore, this provision also denied such authorities the right to take action so as to ensure that the EU principles on personal data transfer are maintained by the receiving U.S. Organisations.

In view of the above, the Court concluded that Article 3 was incompatible with the powers conferred upon Data Protection authorities under Article 28 of the Directive.

C. Conclusion

On this note, the CJEU established that Articles 1 and 3 of Decision 2000/520/EC were inseparable from the remaining provisions and annexes to that decision. As a result, the invalidity of the former provisions laid down the legal basis for the annulment of Decision 2000/520/EC in its entirety.

4. Implications for Malta

In this respect, the CJEU ruling to invalidate Decision 2000/520/EC, including the annexed Safe Harbour principles, is expected to take effect immediately. Nevertheless, the practical implications of the above ruling remain dependent on the subsequent actions of the Data Protection authorities, as well as other relevant bodies

The Maltese Data Protection Commissioner (Maltese DPC), and its European counterparts, may no longer rely on the invalidated Decision, and will now be obliged to consider with immediate effect any requests from data subjects in relation to the treatment of their data by U.S. Organisations. This reflects the Court’s decision stating that national authorities are to utilise the powers conferred upon them under Article 28 of the Directive, and fully examine any subsequent claims lodged.

Furthermore, the absence of a binding EU-U.S. agreement may portend that data transfers from a Maltese Organisation to a U.S. Organisation would constitute a notifiable activity. Thus, alternative arrangements for legitimate data transfers from Malta will now need to be considered. In this regard, a potential strategy for ensuring the continuance of data transfers to the U.S. may involve the adoption of EU standard-approved contract clauses. Until such time as such standard clauses are agreed upon within the European political dimension, the EU landscape on the applicable rules governing data transfers to U.S. Organisations may undergo a heterogeneous development amongst the Member States.

Thus, the Maltese DPC will, for the time being, be required to unilaterally examine whether U.S. Organisations, in receipt of personal data from Malta, ensure an adequate level of protection for that data so received.

 

The authors of this article are Dr Paul Micallef Grimaud and Dr Philip Formosa.