Today the Court of Justice of the European Union (CJEU) invalidated Decision 2000/520 of the European Commission establishing a safe harbour for transferring personal data from the EU to the US. Furthermore, it clarified and strengthened the role of national Data Protection Authorities when such a safe harbour is issued. The judgment is explained by some highlights, and the post is concluded with the Commission’s response.
Did the existence of a Commission Decision establishing a Safe Harbour limit the national DPAs in their tasks and ability to investigate individual complaints that fall under the Safe Harbour?
No. While it is the Commission’s prerogative to adopt a decision finding that a third country ensures an adequate level of protection, (Art. 25(6) DPD) and until it is invalidated by the CJEU it should be complied with. This means that measures to the contrary cannot be adopted, not even by the DPA (paras. 51-52). However, such a decision ‘cannot prevent persons whose personal data has been or could be transferred to a third country from lodging with the national supervisory authorities a claim’ (para. 53). Thus, in agreeing with the AG’s opinion on the case, a Commission decision of this nature cannot eliminate or reduce the powers expressly accorded to the national supervisory authority by Article 8(3) of the Charter and Article 28 DPD (para. 53).
Para 57 reads:
‘(…) Article 28 of Directive 95/46 applies, by its very nature, to any processing of personal data. Thus, even if the Commission has adopted a decision pursuant to Article 25(6) of that directive, the national supervisory authorities, when hearing a claim lodged by a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him, must be able to examine, with complete independence, whether the transfer of that data complies with the requirements laid down by the directive’.
Does this mean that a DPA can invalidate a Commission decision?
No. The CJEU clarifies that the DPAs themselves cannot invalidate a Commission decision (para. 62), only the CJEU can (para. 61). However, the CJEU continues that in the event an individual complaint raises concerns which are shared by the DPA, ‘that authority must (…) be able to engage in legal proceedings’ (para. 65). If the national courts then share these doubts as to the validity of the Commission decision, the national court should ‘make a reference for a preliminary ruling for the purpose of examination of the decision’s validity.’ (para. 65)
Why did the CJEU invalidate the Safe Harbour Decision?
Before delving into the specifics of why the Safe Harbour Decision was declared invalid, the origin of the Decision is briefly explained. The Data Protection Directive (DPD) contains provisions for the transfer of personal data from the EU to countries outside of the EU (‘third countries’). Article 25 DPD, which lays down the principles under which the transfer of data to third countries is allowed also allows for action by the EU Commission.
In particular Art. 25(6) reads:
‘The Commission may find, in accordance with the procedure referred to in Article 31(2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.
Member States shall take the measures necessary to comply with the Commission’s decision.’
The Commission had created such a decision, the contested Safe Harbour Decision 2000/520. In the Decision, the Commission had considered the US to provide an ‘adequtate level of protection’. The CJEU had to assess whether this was a correct assessment made by the Commission.
Firstly, the CJEU struggles with the definition: what constitutes a definition of the concept of ‘an adequate level of protection’? This is not clear from the Directive itself (as the CJEU concedes in para. 70). However, from the ruling some guidance is given, in that ‘an adequate level of protection’ means that if the level of protection in the third country (here: US) is lower than what the EU provides to data subjects under EU law, then it’s a no go. Adequate, however, is not an equitation of the level of protection afforded in the EU.
‘The word “adequate” in Article 25(6) of Directive 95/46 admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. However, as the Advocate General has observed in point 141 of his Opinion, the term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter.’ (para 73)
The CJEU continues with the following, emphasis added:
‘It is clear from the express wording of Article 25(6) of Directive 95/46 that it is the legal order of the third country covered by the Commission decision that must ensure an adequate level of protection. Even though the means to which that third country has recourse, in this connection, for the purpose of ensuring such a level of protection may differ from those employed within the European Union in order to ensure that the requirements stemming from Directive 95/46 read in the light of the Charter are complied with, those means must nevertheless prove, in practice, effective in order to ensure protection essentially equivalent to that guaranteed within the European Union.’ (para. 74)
This means that the Commission had to examine the level of protection afforded by the US before issuing its Safe Harbour Decision, which it did. Furthermore, this also includes that according to the CJEU the Commission should ‘check periodically whether the finding relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified. Such a check is required, in any event, when evidence gives rise to a doubt in that regard.’ (para. 76.)
In terms of the leeway given to the Commission, the CJEU is clear: the ‘Commission’s discretion as to the adequacy of the level of protection ensured by a third country is reduced, with the result that review of the requirements stemming from Article 25 [DPD], read in the light of the Charter, should be strict’ (para. 78).
The CJEU looks closer at the Safe Harbour Decision itself and examined carefully Articles 1 and 3 of the Decision. With regard to Article 1 it states:
‘The Commission found in Article 1(1) of Decision 2000/520 that the principles set out in Annex I thereto, implemented in accordance with the guidance provided by the FAQs set out in Annex II, ensure an adequate level of protection for personal data transferred from the European Union to organisations established in the United States. It is apparent from that provision that both those principles and the FAQs were issued by the United States Department of Commerce.’ (para 79)
The idea of the Safe Harbour was that if a company complied with the principles as set out in the Decision, it would qualify for ‘the safe harbour and the presumption of “adequacy” it creates’ (see para. 82). However, these principles may be limited under the fourth paragraph of Annex I to the Decision (see para. 84). This leads the CJEU to the following:
‘(…) Decision 2000/520 lays down that ‘national security, public interest, or law enforcement requirements’ have primacy over the safe harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them.’ (para 86)
The CJEU finds that interference, either based on ‘national security’ or other such (legitimate) objectives, with the fundamental rights of the persons whose data is transferred from EU to US, is not limited by any rules that the CJEU could find (para. 88). Furthermore, there is no reference in the Decision to the existence of any effective legal protection against interference of that kind (para. 89). Procedures before the FTC (Federal Trade Commission) in the US, do not suffice as:
‘the Federal Trade Commission — the powers of which, described in particular in FAQ 11 set out in Annex II to that decision, are limited to commercial disputes — and the private dispute resolution mechanisms concern compliance by the United States undertakings with the safe harbour principles and cannot be applied in disputes relating to the legality of interference with fundamental rights that results from measures originating from the State.’ (para. 89)
The CJEU then takes up the guidelines and requirements it established in the Digital Rights Ireland and Others case on the invalidity of the Data Retention Directive (see our earlier post on this). The CJEU recalls the necessity for legislation that interferes with fundamental rights to be strictly necessary and proportionate (para. 93). Applying it to the legislation as present in the US the CJEU states that ‘legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter.’ Note that Article 7 is the fundamental right to privacy, not the fundamental right to data protection, which is covered by Article 8 of the Charter.
The CJEU continues that the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter, is also not respected by ‘legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data’ (para. 95).
Furthermore, the Commission did not state in its Decision that ‘the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments.’ (para. 97). Following the foregoing, Article 1 of the Decision is invalid.
The CJEU then turns to Article 3 of the Decision which entails ‘specific rules regarding the powers available to the national supervisory authorities in the light of a Commission finding relating to an adequate level of protection’ (para. 100). This Article entails a limitation of the possibility of the DPAs to take action to ensure compliance with Article 25 DPD. In creating such a limitation of the powers of the DPAs, the Commission has exceeded its powers (para. 104). This means that Article 3 is also invalid.
Because Articles 1 and 3 are invalid, and are inseparable from Articles 2 and 4 of the Decision and its annexes, the CJEU concludes that ‘their invalidity affects the validity of the decision in its entirety.’
The Safe Harbour Decision 2000/520 is thus invalid.
The Commission’s response
Vice-President Timmermans and Commissioner Věra Jourová, gave a press conference on the Commission’s response to the ruling. Timmermans, when asked on whether the Commission considered the judgment a blow to the Commission’s work stated: ‘It is neither a huge reinforcement nor a huge blow.’ The two Commissioner’s considered the ruling in a positive light as ammunition for the renegotiations on the Safe Harbour with the US. They consider the ruling to be an affirmation of what they are working of for the past two years.
Furthermore, the Commission wanted to highlight that the judgment underscores that there is a guarantee for personal data to be protected by sufficient safeguards. The commission further underscored the need for a continuation of the transatlantic flow of data, and to keep this going while the Commission is renegotiating the Safe Harbour, towards a ‘safer Safe Harbour’ as Commissioner Jourová stated, the next few weeks will see the website of the Commission fill up with guidance on how to keep the transatlantic flow going.
The focus seems to be as Commissioner Jourová considered on making use of ‘other mechanisms’ that could maintain the transatlantic flow of data. She mentioned standard data protection clauses, binding corporate rules, and derogations based on performance of a contract, important public interest ground such as based on fraud and cartels, or the vital interest of the data subject, and of course the well known free and informed consent of the data subject. The specifics will still need ironing out which will be done in cooperation with the different Data Protection Authorities that are scheduled to meet the Commission in the upcoming week(s).