The ECJ Safe Harbor Ruling anuls the EU Commissions Safe Harbor Decision and puts the future of transatlantic data transfers at stake. A new approach for data transfers between EU and USA shall bring the solution: The EU-US-Privacy-Shield. Whether or not this will be successful is to the same degree uncertain as the legitimacy of international data transfers from the EU to other third contries.
1. The Safe Harbor Ruling
My Colleague Bernhard Freund has discussed the key aspects of the Safe Harbor Ruling. Aim of this article (without the claim of giving the comprehensive picture) is to pick up loose ends from his discussion.
The Safe Harbor Ruling has the direct consequence that a justification of transatlantic data transfers ceases to exist and creates a large number of open questions and obstacles for other international data transfers that are far from being solved.
The EU Commissions [PDF] immediate and later the German [PDF in German] governments reaction to the Safe Harbor Ruling may be summarised as “transatlantic data transfers have always been possible and will somehow be possible in the future regardless”. Accordingly, they suggest using EU Standard Contractual Clauses instead of the Safe Harbor justification. The German Data Protection Authorities’ views are more nuanced and differ between the individual Data Protection Authorities.
The Bavarian Data Protection Authority and the Hamburg Data Protection Authority [PDF in German] take the view that data transfers to the USA are possible on the Basis of EU Standard Contractual Clauses while the Data Protection Authorities of Hessen and Schleswig-Holstein see also the legitimacy of EU Standard Contractual Clauses at stake. The Rheinland-Pfalz Data Protection Authority even assumes that data transfers to the USA would with immediate effect require the Data Protection Authorities’ prior approval [PDF in German].
2. What’s Next?
The EU-US-Privacy-Shield is now supposed to provide the final solution for these obstacles. The EU-US-Privacy-Shield approach is, however, rather uncertain. As of today, there is a mere EU Commission’s press statement, suggesting a mutual political agreement between EU Commission and US Government Representatives on protecting personal data of EU citizens in the USA.
The EU Commission’s expectations are rather high and suggesting the EU-US-Privacy-Shield would provide extensive protection for EU citizens fundamental rights (in particular with respect to their privacy rights) when their personal data are transferred to the USA. Also, the EU-US-Privacy-Shield shall bring legal certainty for affected companies. Both shall be accomplished by:
- strong obligations on companies handling Europeans’ personal data and robust enforcement,
- clear safeguards and transparency obligations on U.S. government access, and
- effective protection of EU citizens’ rights with several redress possibilities.
The USA are now supposed to implement these safeguards into their national regulations while the EU Commission prepares a new adequacy decision in cooperation with the Art. 29 Group and the Member States’ representatives. This process shall be accomplished within three months.
3. Legal Risks Remain
The aim of the EU-US-Privacy-Shield is providing ultimate legal certainty. Whether this will be achieved remains to be seen as the ECJ’s requirements are rather high. The USA must no less then change the practice of data analysis in the interest of national security, public interest and for executing US laws. Instead of storing and analysing EU citizens personal data without further requirements by US agencies, the USA must now implement statutory justifications considering the principle of necessity and proportionality according to European standards.
It is rather unlikely that the EU-US-Privacy-Shield will last if the USA don’t meet these high standards, because the ECJ has empowered and obliged European Data Protection Authorities to assess these requirements in each individual case and independent from any EU Commissions adequacy decision. Should they come to the conclusion, these standards are not fulfilled they must bring action to the national courts ultimately taking the issue to the ECJ. Recital 57 and 65 of the Safe Harbor Ruling state:
„Thus, even if the Commission has adopted a decision pursuant to Article 25 (6) of that directive, the national supervisory authorities […] must be able to examine, with complete independence, whether the transfer of that data complies with the requirements laid down by the directive […] where the national supervisory authority considers that the objections advanced by the person who has lodged with it a claim concerning the protection of his rights and freedoms in regard to the processing of his personal data are well founded, that authority must […] be able to engage in legal proceedings. It is incumbent upon the national legislature to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national courts in order for them, if they share its doubts as to the validity of the Commission decision, to make a reference for a preliminary ruling for the purpose of examination of the decision’s validity.”
Accordingly, whether or not the EU-US-Privacy-Shield in fact fulfils the high expectation to bring legal certainty remains open.
4. Effects for other International Data Transfers
Following the Safe Harbor Rulings, the Data Protection Authorities would be required to assess also the legitimacy of data international data transfers on the basis of other justifications, e.g. the EU Standard Contractual Clauses in the individual case and independent from any EU Commission’s ruling. Ultimately, they would also be required to bring such data transfers to the courts for review where they have doubts regarding its legitimacy. Where the German Data Protection Authorities confirm the validity of the EU Standard Contractual Clauses for transatlantic data transfers, this is to be supported in the interest of affected companies. It is, however, far from certain this will be their final approach.
Not enough. The USA are by far not the only country being considered unsecure in respect to its data protection regulation for the reason of extensive government agencies’ permissions for acquiring and analysing personal data in the interest of national security- and other public- or governmental interests. This leads to the question of whether or not we may just be at the beginning of a new approach for assessing legal requirements for international data transfers. It may well be possible there will be a new distinction required. In addition to distinguishing secure and unsecure third countries, there may be countries that have so little data protection standards that would under no circumstances permit for transferring personal data there.
It is rather unlikely that respective candidates, such as Russia, China or North Korea would agree to comply with European data protection standards when storing and processing EU citizens’ personal data.
5. Open Issues
Affected companies shall carefully monitor developments in the legal framework for international data transfers and adopt their legal and risk management strategies accordingly. In order to do so, it is advisable to analyse international data flows and assess whether potentially critical data flows may technically or legally be adjusted in case need be. This includes assessing for commissioned data processing whether fully encrypted processing is possible and whether the provider may be replaced without negative impact for the company.
On short term, it is expected that (German) Data Protection Authorities would focus their supervisory activities to EU-US data transfers. Accordingly, this should be the starting point for any international data flow analysis throughout the process the analysis shall then be extended to other countries following a risk evaluation.