In Schrems the CJEU has declared the Safe-Harbor-Decision of the European Commission invalid whilst strengthening the EU fundamental rights. The Court has done so with astonishing clarity. Although the matter is about Facebook Ireland’s transfer of data to servers of Facebook, Inc. in the U.S., it, ironically, will not be Facebook but companies of the European “old economy” that will have to face severe consequences in the aftermath of this landmark judgement. In many cases of every day data processing in the business world, the consent of data subjects will be impossible to obtain. It is at the same time nearly impossible to prevent data to be transferred outside the EU. Hence, a vast number of data processing operations which were lawful before Schrems are now illegal.
According to the EC Data Protection Directive (RL 95/46/EC), data transfers to third countries, i.e. countries outside the European Economic Area (EEA), are permitted only if there is an adequate level of protection in the country in which the recipient is located. So far, the Commission’s decisions attesting the adequacy of the level of protection in individual countries were based on the Directive. As no classical data protection laws exist in the U.S., the U.S. committed itself to the Safe Harbor Framework. The latter stipulates privacy principles to which American companies may subject themselves on the basis of self-certification. With respect to such self-certified Safe Harbor-companies, the Commission’s decision in the year 2000, which was now overturned by the CJEU, recognized the U.S. as a safe third country. Until Schrems, it was therefore possible to transfer data to such companies.
Right to legal recourse
The CJEU now stated that despite the Commission’s decision national data protection authorities have to be able to continue reviewing whether an adequate level of protection exists in the third country to which personal data is to be transferred. This right may not be restricted by a decision of the Commission. The national data protection authority may, however, not declare a decision made by the Commission invalid – this right is reserved for the CJEU – but has to examine the level of data protection if a data subject raises concerns.
The national authority has to decide on the data subject’s request in substance. The data subject is thereby enabled to seek a court decision on the matter. A national authority may in other words not, as the Irish Data Protection Commissioner did, withdraw itself from the aforementioned obligation by stating that the Commission has already made a binding decision. As the Irish authority did not deal with the data subject’s arguments, the latter’s complaint against the Irish Company had not been heard. This impeded its right to a fair hearing. The judgement of the ECJ may therefore be understood as an enforcement of the right of legal protection and of the independence and sovereignty of national data protection authorities.
Materialization of the fundamental rights
Moreover, according to the CJEU judgment, the Commission’s decision of 2000 is invalid because the Commission has failed to examine whether an adequate level of protection exists and continues to exist on the basis of national statutory law and its implementation in the U.S. Doubts as to the adequacy of the level of protection exist in view of the extensive activities of the secret services and prevailing national provisions of American law. A mere examination of the observance of the Safe Harbor Principles does not suffice to attest an adequate level of protection. This is a remarkable step forward in the protection of fundamental rights by the CJEU vis-à-vis EU lawmakers. Although the CJEU had already increased this control, before Schrems the Court was somewhat reluctant to declare legal acts of the Union invalid on the basis of EU fundamental rights. It instead left a considerable margin of appreciation to EU lawmakers. Yet in Schrems the CJEU now clearly criticizes the Commission’s decision for a lack of substantive examination of the – legal and factual – level of data protection in the U.S.
The CJEU further states that the regulations of data protection in the third country do not need to be identical, they must, however, provide an equivalent level of protection to the one established by the EC Data Protection Directive. The CJEU thereby strengthens the material content of the fundamental rights. The judgement, in addition, de facto implies the need for equal data protection laws in the U.S. and may therefore be interpreted as a call for a legal framework, e.g. on a multinational basis.
Risk and legal uncertainty for companies
The judgement’s implications for companies are, however, far-reaching: the transfer of personal data to companies seated in the U.S. may no longer be based on the Safe Harbor Principle. Alternative possibilities to transfer data outside the EU/EEA, like the consent of the data subject, are limited because the burdens to obtain such (valid) consent are high, especially when it comes to personal data of employees, let alone those of other companies a controller does business with.
Since the mere possibility of foreign companies to access data already qualifies as a transfer under European data protection law, the practical significance of the judgment cannot not be underestimated: Cloud-based software solutions, which are routinely used in most companies, regularly enable companies from third countries to access them, e.g. technical support rendered by subprocessors all over the world, 24 hours a day. Lots of Cloud providers do not reside in the EEA but in the U.S. But even so-called European solutions („EU-only“), praised by providers, usually make no difference as, here too, support services are regularly provided from within third countries.
A current law suit brought by Microsoft against the U.S. government shows how companies face diverging interests when dealing with European and American understanding of data protection. They are on the one hand bound by agreements not to transfer data and on the other hand obliged by American laws to cooperate with secret services: By a search warrant, the government obliged Microsoft to retrieve emails which are held in its data center in Ireland. The government argued that Microsoft is an American company. A European company which wants to be sure that its data is not transferred will consequently not only have to provide for an EU-data center but may contract solely with European Entities. This questions the future of international data processing.
Re-territorialization of data processing
The judgment only applies to Safe Harbor. However, it will very likely have an impact on data transfers to other countries worldwide. In another of the Commission’s decisions which was not subject to the Schrems judgment, the Commission decided that data transfers to third countries are lawful if the recipient company agreed by contract vis-à-vis the transferring company to adhere to standardized general terms and conditions (so-called EU standard contractual clauses) predefined by the Commission.
In view of the Schrems judgment, this Commission decision might potentially be challenged in the near future on the basis of a very similar reasoning as applied by the ECJ in Schrems: The level of data protection may be endangered not only in cases of transfers to the U.S. by prevailing American laws, but, similarly, by the respective national laws and their implementation in the third countries to which the data is sent under the EU standard contractual clauses. To this end, the regulatory framework of data processing in the EU is clearly heading towards re-territorialization.