A 3D-printed Facebook logo is seen in front of the logo of the European Union in this illustration. Photo: Dado Ruvic/ReutersA 3D-printed Facebook logo is seen in front of the logo of the European Union in this illustration. Photo: Dado Ruvic/Reuters

The revelations made by Edward Snowden have had significant impact on data privacy. In 2013, Snowden leaked to the media details of systematic phone and internet surveillance by American intelligence.

The Court of Justice of the European Union (CJEU) was recently called upon to establish whether the law and practice of the US offer sufficient protection of the data transferred to that country against surveillance by public authorities.

The matter was brought forward by an Austrian citizen, Maximilian Schrems, a Facebook user since 2008. Subscribers of Facebook residing in the EU may have some or all of their data provided to Facebook transferred to servers located in the US where the data is processed. Following the Snowden revelations, Schrems filed a complaint with the national supervisory authority on the data transfer to the US claiming that the US may not provide a Safe Harbour. The High Court of Ireland made a reference to the CJEU for guidance.

The dispute concerned the European Data Protection directive that establishes a harmonised set of minimum principles intended to protect personal data. Among other things, the directive permits the transfer of personal data to a country outside of the EU only if that country ensures an adequate level of data protection.

The directive also authorises the Commission to decide whether a third country ensures an adequate level of protection. If the Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place.

Pursuant to a Commission decision, the US has been for the past 15 years considered as a country that ensures an adequate level of protection via Safe Harbour scheme compliance.

Consequently, personal data of EU citizens would be transferred freely from companies in the EU to companies in the US for commercial purposes without the need for prior authorisation.

Schrems, in his lawsuit, contended that the Safe Harbour scheme offered no real protection against surveillance by the US of personal data transferred to that country.

In this ruling, the protection of privacy and personal data triumphed over the freedom to conduct a business and the free movement of personal data across borders. The CJEU considered that the Snowden revelations made it apparent that American intelligence agencies had almost unfettered access to data, infringing on rights to privacy enshrined in EU legislation. Accordingly it ruled that the access enjoyed by the US intelligence services to the transferred personal data of EU residents constitutes an interference with the right to respect for private life and the right to protection of personal data.

The Luxembourg Court further adjudged the Safe Harbour scheme as invalid. It premised that the Commission could only find that the US provided adequate level of protection if that protection was essentially equivalent to the data protection standards prevalent in the EU. The Court deemed that the derogations that existed in the Safe Harbour scheme, such as those for national security or public interest purposes, were not delimited by clear and precise rules governing their scope and application, allowing the possibility of abuse and unlawful access. Derogations in relation to the protection of personal data are permissible under the case law of the CJEU only in so far as they are strictly necessary.

As a consequence of this ruling, the transfer of personal data from the EU to the US can no longer be based on the Safe Harbour scheme. In the absence of this scheme, EU companies must adopt an alternative legitimate route to transfer personal data to the US.

One of the acceptable methods would be the execution of a transfer contract whereby the receiving US company will be obliged to adhere to a set of rules that satisfy EU data protection requirements. Unambiguous informed consent of the data subject would also a valid legal basis for data transfer.

The ruling establishes that national data protection authorities are required to investigate companies to ensure that their information-handling practices comply with that state’s data protection laws. Citizens are entitled to submit complaints to national authorities where their data protection rights are considered not to be adequately protected in a third country even if the Commission adopts a decision that the third country provides adequate protection.

In the wake of this ruling, the Commission has indicated its intent to continue working to reach agreement on a new Safe Harbour mechanism with US authorities, with which it has been in negotiations for the past two years. It is likely that the new mechanism will address the problems the invalidated scheme had and will tackle the concerns raised by the Court’s ruling.

jgrech@demarcoassociates.com

Josette Grech is an adviser on EU law at Guido de Marco & Associates.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.