Analysis

The European Court of Justice declares invalid the legal framework governing the transfer of personal data from EU to US, based on Safe Harbour principles

Implications for Romania

On 6 October 2015, the European Court of Justice (the „Court”) has ruled by decision pronounced in case C-362/14 that the EU – US Safe Harbour framework for transferring personal data from the EU to US, when the recipient in US holds a valid certificate Safe Harbor is invalid.

Also, the Court has ruled, in interpretation of the provisions of Directive 95/46/CE on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the „Directive”), that the existence of a decision of the European Commission (the “Commission”) pursuant to which it is recognized an adequate level of protection with respect to the transferred personal data does not prevent the supervisory authority of a Member State from examining the claim of a person regarding the transfer of personal data to a third country when the person considers that the law and practices in force in the third country do not ensure an adequate level of protection.

Short presentation of the case

Maximillian Schrems, an Austrian Facebook user since 2008, has lodged a complaint to the Irish Data Protection Authority (the “Authority”) following the statements made by Snowden with respect to the activities of intelligence services of US (in particular the National Security Agency). The Authority has rejected the complaint, on the grounds that under the Safe Harbour scheme, the transfer to US has been declared by the Commission as ensuring an adequate level of protection (i.e. protection equal to EU standards).

The High Court of Ireland, to which the case was then brought, requested the Court to rule with respect to the reasons invoked by the Authority, i.e. whether the existence of a decision issued by the Commission establishing that a third country ensures an adequate level of protection can eliminate or reduce the powers available to a national data protection authority.

The decision of the Court

Following the decision pronounced on 6 October 2015, the Court established the followings:

  • The existence of a decision issued by the Commission through which it is established that a third country ensuring an adequate level of protection to the data transferred cannot annul nor reduce the competencies of the national data protection authorities
  • A regulation allowing public authorities generalized access to the content of electronic communications violates the fundamental right of privacy
  • The Commission did not have the competence to restrain the attributions of the national data protection authorities
  • The Commission Decision 520/2000 establishing an adequate level of protection to transfer of personal data from EU to US, when the data controller has adhered to the Safe Harbour principles is invalid

Also, the decision of the Court does not provide any grace period or transitory period.

Consequences: revising the strategy of personal data transfer to US, based on Safe Harbor principles  

The direct consequence of the Court’s decision is that the Authority will have to examine the complaint of Mr. Maximilian Schrems, following to decide whether, pursuant to the Directive, the transfer of the data of Facebook’s European subscribers to US should be suspended on the ground that the country does not afford an adequate level of protection of personal data.

A much wider consequence of the Court’s decision is that the legal frameworks for transfers of personal data between the EU and the US, when the recipient holds a valid Safe Harbour certificate, have been declared invalid. Practically, for such situations, the personal data transfers will need to observe the applicable rules in case of any transfer to a data importer situated in a state which does not ensure an adequate level of protection, respectively based on a contract with standard clauses concluded between the data exporter and the data importer or based on the binding corporate rules.

Implications regarding Romania

In Romania, the supervisory authority in the data protection field is the Data Protection Authority (the “DPA”).

In the context of the Court’s decision, we consider that the DPA should reanalyse the transfers of personal data to assess whether the level of data protection is an adequate one, even in the absence of the Safe Harbour certification. Should the DPA assess that the protection level provided by the country of destination is not satisfactory, it can impose the prohibition of the data transfer. Also, in such case, the Romanian data controller can identify alternative options for authorizing the transfer, respectively:

  • Presenting sufficient guarantees with respect to the protection of fundamental rights of the data subjects, by a contract concluded with the data importer. In such case, depending on the quality of the data importer (data controller/data processor), the standard contractual clauses of the Commission decision shall be observed, i.e. standard contractual clauses regulated the data transfer from a data controller in Romania to another data controller established in a state where the legislation does not provide an adequate level of protection at least equal with the one provided by Romanian law or, as the case may be, the standard contractual clauses regulating the transfer of data from a Romanian data controller to a data processor established in a state where the legislation does not provide an adequate level of protection at least equal with the one provided by Romanian law.
  • Authorizing the transfer based on the binding corporate rules.
  • Obtaining the express consent of the data subjects. The Consent should explicit and provided in such manner to be considered valid. Also, it is recommendable that the data controllers and their representatives keep proof of the consent collected from the data subjects for any possible claims or investigations from the DPA.  

Related topics