Mr Schrems goes to Washington
December 2015 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
On 6 October 2015, the Court of Justice of the European Union held that the EC’s Safe Harbor decision (Commission Decision 2000/520/EC of 26 July 2000 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce) was invalid (Schrems v Data Protection Commissioner, Case C-362/14).
The victory of Maximillian Schrems not only threw out a convenient basis for businesses on both sides of the Atlantic to legalise the flow of data to the United States, but also captured in an immediate and binding form what EU law regards as the main barrier to finding that the US ensures an adequate level of protection of personal data transferred from Europe.
That barrier is the entitlement provided in US law for federal authorities to process without limitation any and all data of any persons without the need for an individual justification for these operations and without judicial oversight – not only under the rules for conducting ‘signals intelligence’ pursuant to US Presidential Policy Directive 28, but also by mining Big Data gathered by internet giants. On top of that, as the Court of Justice found, Europeans are not equipped with any means of effectively protecting themselves against this threat within the United States.
In the court’s view, the availability of such means is guaranteed in the EU, because if the data protection authorities appointed in accordance with the Data Protection Directive (95/46/EC) receive a complaint concerning the suspicion of failure to provide adequate protection for data transferred to a third country, they are required to conduct an appropriate investigation, and if they find violations they are required to apply the measures provided for in the directive, such as halting or prohibiting the transfer or ordering the deletion of data. If a decision of the European Commission hampers such investigations and application of these protective measures, the relevant court or tribunal may request that the Court of Justice examine the validity of the decision.
The consequences of the Schrems ruling are serious, and it will not be easy to find a new long-term mechanism acceptable to both sides for legalising the transfer of personal data from the EU to the United States.
It doesn’t look good in the short term either. With the problematic Safe Harbor system overturned, other possible grounds for legalising data transfers will not be easy to apply. Based on this ruling, the grounds for the transfer must be examined on a case-by-case basis to ensure that the rights and freedoms of data subjects are not violated. In this context, neither standard contractual clauses (approved by another Commission decision) nor binding corporate rules provide certainty.
There is not even certainty with respect to the consent of the data subject. Such consent must meet numerous conditions – e.g., identifying the subject matter. In this case it will be necessary to inform the data subject in detail concerning the scope and purposes of possible access to his or her data, as well as notifying the data subject that consent can be withdrawn. But even then, some take the view that consent to infringement of fundamental rights is invalid. In that case, other requirements concerning the form and content of consent imposed by the individual member states appear to be a trivial barrier by comparison. For example, in Poland consent to transfer personal data to a third country must be made in writing, i.e., with a handwritten signature under the text providing consent.
Notwithstanding assurances by Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, and the position taken by the Article 29 Data Protection Working Party, a body established under the Data Protection Directive made up of the data protection authorities of the member states, the national data protection authorities have not taken a uniform position.
Germany’s conference of federal and state data protection bodies (Datenschutzkonferenz) published a position paper on 21 October 2015 stating that it will not authorise the transfer of data to the United States on the basis of binding corporate rules or standard contractual clauses. This conflicts with the position paper issued by the Article 29 Working Party just a week before holding that binding corporate rules and standard contractual clauses may continue to be used as the basis for transfers, while efforts by all of the parties to the negotiations to agree on new rules for the free flow of data to the US should be aimed at finding a permanent solution by the end of January 2016.
Maximillian Schrems and his fellow activists won a huge victory. They admit that their goal is not just to humble online social media giants but also to force the US government to recognise European rules and values and European standards for the protection of privacy and personal data. So it seems that complaints against American companies are also designed to enlist them in bringing pressure to bear on US politicians to find a solution. But will the US business community be willing to join forces with Schrems?
Or perhaps the negotiators for all sides will come up with another fair solution without additional pressure? That would certainly be desirable. For now, however, Commissioner Jourová is providing nervous assurances that the negotiations to replace Safe Harbor are already nearing an end, while the US Department of Commerce states on its Safe Harbor site that it is still implementing the programme and accepting notifications of self-certification, although it advises companies to bring any questions they may have to the attention of the European Commission or national data protection authorities in Europe. This suggests that the initial bargaining positions are only now being established before the real negotiations begin.
Participants in e-commerce are anxiously awaiting the results of what they can only hope will be effective work by the negotiators.
Jan Grygo is a partner at Łaszczuk & Partners. He can be contacted on +48 22 351 0067 or by email: firstname.lastname@example.org.
© Financier Worldwide
Łaszczuk & Partners