Yesterday, the European Court of Justice (ECJ) issued a decision about European data protection laws as they relate to data transfers to the US. While there have been a number of news reports published on what the opinion may or may not do in practice, there is a lot of nuance from the opinion that has been lost in the headlines.
For example, the opinion didn’t actually invalidate the US-EU safe harbor arrangement, as plenty of news outlets, including the New York Times and the Washington Post, have claimed. Instead, it invalidated a European Commission decision from 2000 that concluded the US’s “Safe Harbor Privacy Principles” provided adequate protections for Europeans’ privacy rights under EU law (more on this below). Invaliding that decision may undermine some of the stability of the safe harbor scheme since it will be harder for US companies to know whether US law meets the “adequacy” standard, but it won’t necessarily destroy it. And the ECJ didn’t say that the principles “violate privacy,” as the Wall Street Journal claimed.
While it may seem like quibbling over shades of grey, those sorts of distinctions matter when you’re trying to assess the practical implications of a court ruling, and this case is no exception. It may well be that this judgment is a win for privacy and a strong condemnation of NSA surveillance (much of the opinion clearly rests on concerns over the NSA’s activities). It may even be that the judgment is a harbinger of the end of the safe harbor arrangement — or at least a signal that change is sorely needed. But the decision itself didn’t actually kill the Safe Harbor framework or wade into the appropriateness of its provisions. It told the Irish Data Protection Commissioner to investigate a complaint it received and to decide whether US law adequately protects Europeans’ privacy rights.
Some quick background on the various elements at play in this judgment: The above-mentioned 2000 decision came after a 1995 European Parliament directive on individuals’ rights related to personal data and, particularly relevant for our purposes, the transfer of such data to non-EU countries. The directive requires that when data is transferred from an EU Member State to a non-EU country, the receiving country must “ensure an adequate level of protection” for that data, as judged in light of “all the circumstances surrounding [the] data transfer.” The directive says that the European Commission can find that non-EU countries provide adequate protections based on the country’s “domestic law or … international commitments.”
As is easy to imagine, that language doesn’t provide much guidance for companies on what would constitute sufficient protections. The US Commerce Department developed the Safe Harbor Privacy Principles in consultation with the EU, as well as industry and the public. These principles were intended for use by US organizations “for the purpose of qualifying for the safe harbor and the presumption of ‘adequacy’ [under European law] it creates.” The safe harbor scheme operates on a system of self-certification, and now includes more than 4,000 companies. After the scheme was established, the European Commission, in its 2000 decision, held that the principles “ensure[d] an adequate level of protection for personal data.”
Now for some background on the case: In June 2013, Max Schrems brought a complaint to the Irish Data Protection Commissioner requesting that the Commissioner prohibit Facebook’s Irish subsidiary from transferring Schrems’ personal data to Facebook’s US servers. Specifically, Schrems alleged that US law doesn’t afford adequate protections to his personal data under the EU Charter of Fundamental Rights, largely based on concerns about NSA surveillance. But the Commissioner denied his request, relying in part on the 2000 decision that had found that the US adequately protects Europeans’ privacy rights.
After the Commissioner denied his request, Schrems went to the Irish courts. The Irish High Court, in turn, asked the ECJ, for a ruling on two questions of European law. The first question was whether national-level authorities (like the Data Protection Commissioner) were bound by the European Commission’s 2000 finding. The ECJ didn’t address the second question, which asked whether, even if the 2000 decision was binding, “factual developments” since the Commission’s finding (i.e., the Snowden leaks) meant that the national-level authority could conduct an independent investigation.
So what does yesterday’s judgment say and what does mean for the future of data transfers from Ireland to the US?
Per the ECJ’s press release, the immediate effect of the judgment is that the Irish Data Protection Commissioner is not bound by the 2000 finding. Rather, she must examine Schrems’ allegations with “all due diligence” to decide whether the transfer of data from Facebook’s Irish subsidiary to Facebook’s US servers affords an adequate level of protection of personal data.
Importantly, the judgment says nothing about what the Irish Commissioner must or will find. She may find that US laws are perfectly adequate. She may not. But if “adequacy” is measured by how European countries protect personal data from government interference, that bar may not be much higher than it is in the US.
The opinion also opens the door for other European countries’ data protection commissioners to independently investigate the adequacy of US protections. This means we may wind up with a patchwork of rulings until the ECJ has the opportunity to squarely decide the merits of US data protections.
All of this rests on some of the key takeaways from the ruling, including:
- Any decision by the European Commission that a country’s data protections are “adequate” does not prevent a Member State’s supervisory authority (e.g., the Irish Data Protection Commissioner) from independently investigating a complaint that the receiving country does not actually adequately protect individuals’ rights and freedoms under the Charter.
- However, the ECJ underlined that Member States cannot declare a Commission decision invalid. Thus, all decisions by national authorities (whether they agree or disagree with Commission decisions) must be appealable through the national courts, and the ultimate determination about the validity of the Commission decision lies with the ECJ.
- Specifically, the ECJ ruled that the Commission’s 2000 decision was invalid because, among other things, it only examined the Commerce Department’s Safe Harbor Privacy Principles, rather than the broader protections and statutory scheme in the US. The directive required the Commission to assess the adequacy of the US’s protections more fully, not merely examine a single self-certification program. Given the range of national security-based justifications for the US gaining access to transferred data and the difficulty Europeans face in obtaining legal remedies under US law, the ECJ said the Commission’s previous decision that the US’s scheme was presumptively adequate was invalid.
While it will take some time to breakdown the more specific practical implications of the judgment, it’s worth reading the whole opinion (and the other materials referenced in it) below: