Out-Law Analysis | 05 Oct 2015 | 5:11 pm | 6 min. read
It is anticipated that the Court of Justice of the EU (CJEU) will quash a 'safe harbour' regime that supports EU-to-US data transfers amidst concerns with US surveillance practices and how that impacts on EU citizens' privacy rights.
Fears that US law enforcement and intelligence agencies engage in mass surveillance activities prompted an advisor to the CJEU to last month deem the safe harbour regime incompatible with EU data protection laws.
However, if the CJEU confirms that finding on Tuesday it is likely that other legal tools, beyond safe harbour, which organisations rely on to transfer personal data from the EU to the US will come in for scrutiny too.
That prospect creates uncertainty for businesses that, until now, will have believed the data transfer arrangements they have in place meet the standards required by EU law.
Concern over EU-US data transfers
A cornerstone principle of the EU's Data Protection Directive, which applies across the EU, limits the right to transfer personal data outside the European Economic Area. Only where "adequate protections" are in place, or where the destination country has been pre-approved by the European Commission as having adequate data protection, can data transfers go ahead.
The US has not been designated as meeting the 'adequacy' standards, but in 2000 the Commission agreed a framework with US officials to facilitate the transfer of personal data from the EU to the US. The Safe Harbour Agreement means that US organisations that self-certify compliance with requirements of the safe harbour regime are deemed as having met the 'adequacy' standards outlined in the EU Directive.
There is a long history of challenges to the Safe Harbour Agreement, but the framework came in for particular scrutiny and criticism after whistleblower Edward Snowden released details of the alleged surveillance capabilities and practices of the US' National Security Agency and other intelligence gathering bodies through the media in 2013.
The Safe Harbour Agreement was reviewed by the European Commission which found "deficiencies in transparency and enforcement" in respect of how the framework operates. The Commission faced calls to suspend the Agreement but instead opted to pursue negotiations with US counterparts on a new data protection agreement and a new safe harbour framework for EU-US data transfers and allow the existing safe harbour regime to operate as normal in the interim.
The Snowden revelations prompted campaign group 'Europe v Facebook' to ask Ireland's data protection authority to look into Facebook's data transfer arrangements. The High Court in Ireland has opened a judicial review into the authority's decision not to investigate and asked the CJEU for assistance in interpreting aspects of EU law that the case raises questions about.
The Irish court wants to know whether national data protection authorities are "absolutely bound" by the fact that the European Commission decided in 2000 that the EU-US safe harbour regime adheres to EU data protection laws, or whether the authorities can or should investigate complaints about data transfer arrangements made under that regime "in the light of factual developments in the meantime".
The CJEU ruling on the matter is due on Tuesday morning, but clues as to how it might rule can be found in the non-binding opinion issued by one of the Court's advisors last month.
The advocate general's opinion
Yves Bot, advocate general at the CJEU, said the EU-US Safe Harbour Agreement "cannot be regarded as ensuring an adequate level of protection of the personal data transferred from the European Union to the United States under that scheme".
Relying on evidence before the Irish court, Bot said it seems US intelligence agencies engage in "mass, indiscriminate surveillance" which offers them access to personal data in a way not justified under EU law.
In response, though, the United States Mission to the European Union said that Bot's opinion "rests on numerous inaccurate assertions about intelligence practices". It said the US "does not and has not engaged in indiscriminate surveillance of anyone, including ordinary European citizens".
However, whilst advocate general opinions are not binding on the CJEU, in the majority of cases the Court will follow them when it comes to issuing its formal judgment.
The potential impact of the ruling
If the CJEU rules that the Safe Harbour Agreement is incompatible with EU data protection laws then it will force US businesses that currently rely on the safe harbour regime to transfer personal data from the EU to find other legal mechanisms to do so.
In 2001 the Commission created 'model clauses', since updated, that businesses can adopt which help them to meet the 'adequacy' standards of EU data protection laws when transferring personal data outside of the EU.
Companies can also implement 'binding corporate rules' (BCRs) for intra-group data transfers around the world. BCRs are a mechanism, not currently codified in the Data Protection Directive but which is provided for in the forthcoming General Data Protection Regulation, pursuant to which businesses can agree with regulators to commit in effect to a code of conduct for handling and protecting personal data in a way which accords with the requirements of EU data protection law when transferring that data to other companies in their group in non-EEA locations.
However, both the model clauses and BCRs frameworks could now come in for scrutiny for similar reasons to those highlighted in relation to the safe harbour regime if the CJEU rules as is expected.
Such scrutiny might be initiated at EU level. The Article 29 Working Party, the committee of representatives from national data protection authorities across the EU, is due to meet in the aftermath of Tuesday's CJEU ruling to discuss the consequences for the EU-US safe harbour regime. However, it is possible that the Working Party will also open a further debate on what the judgment means for model clauses and BCRs. This is something Germany's data protection authorities are pushing for.
Absent an EU-led review, national data protection authorities might take their own steps to address concerns about EU-US data transfers. In the extreme they might decide they no longer recognise model clauses, for example, as an appropriate mechanism for enabling compliant data transfers.
At the least, a debate over the scope of model clauses and the level of control and scrutiny placed on them by regulators can be anticipated.
What would this mean for businesses?
The Snowden revelations has driven anti-US sentiment in some EU countries and heightened concerns about the US' attitude to the EU's data protection regime. Data protection has become a political issue.
There are already examples of squabbling and differences in approach between some data protection authorities in the EU about how to regulate US companies. These issues are likely to increasingly manifest themselves in light of the Weltimmo ruling which gives greater latitude to national data protection authorities to regulate businesses either based outside of the EU or in another EU country from them.
A lack of consistency and a climate of disagreement is of concern for businesses ahead of the new General Data Protection Regulation which promises greater harmonisation of data protection laws across the EU and closer cooperation between national watchdogs.
With the CJEU's imminent ruling as the likely prompt, will data protection authorities look behind model clauses and ask more questions about the measures organisations have in place to comply with EU data protection laws when transferring personal data overseas?
Figures obtained by Out-Law.com under freedom of information laws revealed that there were just seven cases between 1 January 2014 and 13 August 2015 that the UK Information Commissioner's Office (ICO) looked into which concerned potential breaches of data transfer rules by organisations.
Three of the cases concerned data controllers based overseas and one further case was closed due to a lack of information. In a fifth case the ICO was to raise a concern with a data controller. The ICO launched investigations in two other cases, involving a media organisation and legal business respectively, but required neither organisation to take any action as it concluded that no breach of the UK Data Protection Act had occurred in either instance.
Companies can expect the CJEU's ruling to spur greater scrutiny of all data transfer mechanisms used by companies, including the model clauses.
The model clauses are, or should be, like most other legal agreements, underpinned by business processes, practices and procedures that make the clauses work operationally, both from the perspective of organisations exporting personal data and those receiving it. Implementing model clauses as a tick-box exercise not supported by such underlying data protection processes and procedures was never recommended.
Any businesses that persist with this approach risk enforcement action, and potentially stiff penalties under the forthcoming General Data Protection Regulation.
Marc Dautlich is a data protection law expert at Pinsent Masons, the law firm behind Out-Law.com.