PRIVACY & DATA PROTECTION www.pdpjournals.com VOLUME 16, ISSUE 1 O The demise n 6th October 2015, the from Europe in compliance with the Court of Justice of the Directive. European Union (‘CJEU’) gave its judgment in the Until the CJEU’s judgment in Schrems, of the case of Max Schrems v Data Protection organisations that self-certified to the Commissioner of Ireland (Case C- Safe Harbor framework were legally 362/14). As has been widely reported, permitted to receive personal data US-EU Safe the CJEU declared the US-EU Safe originating from Europe. The framework Harbor, a mechanism that has facilitat- itself comprised a set of Privacy ed the transfer of personal data be- Principles and Frequently Asked Harbor Questions. To certify to the Safe tween the EU and the US for 15 years, to be invalid. It also found that national Harbor, organisations: (1) conformed Data Protection Authorities (‘DPAs’) their privacy practices to meet the are not absolutely bound by adequacy requirements of the Safe Harbor decisions of the European Commission, Privacy Principles; (2) filed a self- and may conduct their own investiga- certification form with the Department tions into whether transfers of personal of Commerce; and (3) published a Safe data are subject to an adequate level of Harbor privacy policy, stating how the protection. company complied with the Privacy Principles. The decision has attracted lurid media headlines and has created a sense of EU criticism of Safe Harbor panic in some quarters. Organisations are now scrambling to implement alternative data transfer mechanisms EU criticism of Safe Harbor is nothing ahead of anticipated DPA enforcement new, but it intensified following Edward actions. Snowden’s disclosures in June 2013. Prior to that, in April 2010, the The facts Düsseldorfer Kreis (a working group Bridget Treacy, Partner, comprised of the 16 German state and James Henderson, In the wake of Edward Snowden’s DPAs responsible for the private revelations about the widespread sector), issued a resolution requiring Associate, Hunton & access to personal data enjoyed by additional diligence on the part of Williams, examine the US intelligence agencies, Mr Schrems, German data exporters transferring an Austrian privacy campaigner, made data to Safe Harbor certified entities. uncertain position left by a complaint to the Irish DPA, challeng- By requiring additional diligence, the ing Facebook’s use of Safe Harbor to German DPAs appeared to question the CJEU after it declared transfer personal data to the US. the European Commission’s decision Safe Harbor invalid that Safe Harbor certification is suffi- Mr Schrems alleged that the Safe cient to demonstrate an adequate Harbor did not provide an adequate level of protection for personal data. level of protection for EU personal data in the US. He asked the Irish DPA to In July 2012, the Article 29 Working examine its validity and, if necessary, to Party adopted an opinion on cloud suspend ongoing transfers of personal computing in which it similarly conclud- data to the US by Facebook. ed that EU data exporters could not rely on self-certification alone. The Working Party noted that in order to legitimise Origins of Safe Harbor data transfers to cloud vendors located in the US, data exporters may need to obtain evidence of compliance with the The Safe Harbor framework was devel- Safe Harbor framework. oped to address European concerns that data privacy protections in the US Following the Snowden revelations, were not ‘adequate’, as required by the rumblings of discontent with Safe Article 25(1) of the EU Data Protection Harbor crystallised when the European Directive (‘Directive’). The framework Parliament called on the European was negotiated by the US Department Commission to review Safe Harbor, of Commerce and the European Com- claiming that the PRISM programme mission to bridge the different privacy and access to personal data originating approaches in the US and Europe, and from the EU by US law enforcement to provide a streamlined means for EU organisations to transfer personal data (Continued on page 4)
PRIVACY & DATA PROTECTION www.pdpjournals.com VOLUME 16, ISSUE 1 conduct their own investigation into basis by US law enforcement and (Continued from page 3) whether transfers of personal data intelligence agencies would mean agencies constituted a ‘serious viola- are subject to an adequate level of that EU citizens’ personal data are tion’ of the Safe Harbor Agreement. protection. In addition, the Court went not adequately protected. further than the specific question referred to it, and considered whether Prior to publication of the judgment, Mr Schrems’ claim Decision 2000/520 on which the the US trade mission to the EU was Safe Harbor rests is valid. The quick to rebut assumptions concern- CJEU decided that it is not. ing Snowden that had appeared in Mr Schrems’ complaint was made the Advocate General’s Opinion, stat- against the backdrop of this growing ing that “[t]he United States does not European discontent with Safe Meaning of and has not engaged in indiscriminate Harbor. He did not at- surveillance of anyone, including ordi- ‘adequate’ tack the Safe Harbor nary European citizens”, and that the principles directly, but PRISM programme “is in fact targeted attacked the activities “In the In considering the against particular valid foreign intelli- of US law enforcement validity of Decision immediate gence targets, is duly authorized by and intelligence agen- 2000/520, the Court law, and strictly complies with a num- cies and their access aftermath noted that the require- ber of publicly disclosed controls and to and use of EU per- ment of ‘adequacy’ of the limitations.” sonal data in the US. does not mean that a judgment, a third country must en- Schrems’ central sure a level of protection Absence of right of redress number of claim was that the for personal data that is for EU citizens in US Safe Harbor no longer affected ‘identical’ to that guaran- provided an adequate teed in Europe. Rather, companies level of protection for the level of protection Another important factor for the CJEU personal data, because have already for fundamental rights was that EU citizens have no right of of US agencies’ blanket and freedoms must be redress in the US in relation to the started to access to data, as ‘essentially equivalent’ use of their data by such agencies. revealed by Edward implement to those guaranteed in Snowden. Mr Schrems Europe. This is a ques- In the EU, the right of redress to an alternative requested that the Irish tion of fact that requires independent authority is a fundamen- DPA order Facebook to consideration of domes- tal right and essential to ensure that data transfer suspend data transfers tic law and a country’s individuals are protected. Although mechanisms. to the US under Safe international commit- the Federal Trade Commission in Harbor. ments. Further, as the US is responsible for ensuring Some the level of protection that companies do not engage in vendors have The specific question may change, the court unfair or deceptive trade practices referred to the CJEU considered that the (including misrepresentation as to proactively by the Irish High Court Commission would their compliance with the Safe Har- sent was whether the Irish need to ‘check periodi- bor), its jurisdiction does not extend DPA was bound by the cally’ whether the ade- to use of data by law enforcement pre-executed Commission’s adequa- quacy finding remained agencies. Consequently, the CJEU cy decision on Safe Model ‘factually and legally was of the view that the Safe Harbor Harbor, precluding justified’. does not provide an adequate level Clauses to any investigation by the of protection for personal data. DPA into the protection EU clients.” afforded to data trans- Surveillance It should be noted that the CJEU did ferred in those particu- not engage in any direct comparison by US law lar circumstances, or between the use of data by US law enforcement whether the DPA could enforcement and intelligence agen- conduct its own investigation into cies, and those in the EU. Edward the ongoing adequacy of the Safe Decision 2000/520 provides that Snowden’s revelations revealed simi- Harbor, in light of the factual develop- national security and law enforcement lar surveillance activities carried out ments since the Commission’s ade- considerations have primacy over by EU-based intelligence agencies, quacy decision (Decision 2000/520). the Safe Harbor Principles. The court particularly those in the UK. found that this general derogation enabled interference with the funda- The use of personal data in the EU CJEU’s judgment mental rights of European citizens, for the purposes of law enforcement without limit or effective legal protec- and the protection of national security tion. In other words, although organi- is not subject to the Data Protection The CJEU found that national DPAs sations might certify to, and in fact Directive, and arguably the use of are not bound by Commission ade- comply with, the Safe Harbor Princi- data by EU-based intelligence agen- quacy decisions, but are entitled to ples, access on a generalised
Recommend
More recommend