Contact The Team


Subscribe

* indicates required

Safe Harbour and PRISM


Friday, October 24, 2014

Introduction

On 18 June 2014, Mr Justice Hogan of the High Court delivered a ground-breaking judgment in the case of Maximilian Schrems v. Data Protection Commissioner, in which he upheld the actions of the Irish Data Protection Commissioner (the “Commissioner”) in refusing to investigate a complaint made by Mr Schrems in relation to the transfer of personal data by Facebook Ireland to its parent company in the United States, Facebook Inc.

Mr Schrems called on the Commissioner to investigate the adequacy of the data protection regime in the US and to prohibit transfers of European citizens’ data to the US, in the wake of the sensational revelations made by whistleblower Edward Snowden, about the interception and surveillance of internet and telecommunications systems by the US National Security Agency on a massive and global scale under the “PRISM” programme. The Commissioner refused to investigate the matter on the grounds that he was bound by the terms of a formal Decision of the European Commission (2000/520/EC), (the “Safe Harbour Scheme”), which allows US companies to self-certify that they provide adequate and effective protection for personal data.

The response of the Commissioner was in contrast to that of the German Data Protection Authority who decided to both: (a) stop issuing approvals for data transfers until the German government determined whether unlimited access to German citizens’ personal data by foreign national intelligence services complied with fundamental principles of data protection law and (b) review whether to suspend data transfers carried out pursuant to the Safe Harbour Scheme.

Nonetheless, while the Irish High Court endorsed the Commissioner’s refusal to investigate the complaint made, Judge Hogan went on to request a preliminary ruling from the European Court of Justice, pursuant to Article 267 of the Treaty on the Functioning of the European Union, as to whether the entry into force of the European Charter of Fundamental Rights (the“Charter”) obliges national data protection authorities to look behind European findings regarding the adequacy of data protection afforded by a country outside the EEA (such as the Safe Harbour Scheme) and conduct their own investigation into the protection provided by that country, in circumstances where a credible complaint is made to them that the country does not provide an adequate level of protection for European citizens’ fundamental rights to privacy and data protection.

The decision of the European Court will determine the ultimate outcome of the Irish proceedings. However, due to the likely delay before any decision is made by the European Court, the potential impact of any such decision for EU Member States is likely to be overtaken by events in the form of the entry into force of the new Data Protection Regulation currently awaiting agreement between the European Parliament and the Council of Ministers and formal adoption by the Council.

In November 2013, following an assessment of the Safe Harbour Scheme by the European Commission, the Commission published a Communication, Rebuilding Trust in EU-US Data Flows, calling for a more robust agreement between the EU and the US. This followed an earlier call from the European Parliament for a review of the Scheme, after it was reported that US companies allegedly involved in the PRISM case were all parties to the Scheme.

In light of these developments, there is growing concern within the business community that uncertainty over the status and future of Safe Harbour may damage confidence. Data exchange that falls under the Scheme affects all industries, but is crucial to cloud computing and big data. Given the widespread use of the Safe Harbour Scheme, and the importance of ensuring adequate transfers to the U.S., it seems unlikely that Safe Harbour will be abandoned. However, discussions about the adequacy of Safe Harbour will continue, both before and after the decision of the European Court and the publication of a review by the European Commission. As a result, companies appear to have shown increasing interest in Binding Corporate Rules as a data transfer mechanism.

Background to the Schrems Proceedings

The proceedings related to a complaint made by the Appellant to the Commissioner that by transferring European Facebook users’ data to the United States, Facebook Ireland was facilitating the processing of such data by the US based Facebook (“Facebook Inc”). He argued that while Facebook Inc had self-certified by reference to the principles established by the Decision of the European Commission (2000/520/EC), which established the Safe Harbour Regime (the “Safe Harbour Scheme”), the Snowden revelations regarding indiscriminate surveillance of such data by law enforcement agencies under the PRISM programme, without any legal safeguards, demonstrated that US law and practice did not actually provide any meaningful protection for the data protection rights of individuals in respect of data so transferred. In such circumstances, he called on the Commissioner to investigate.

In his response, the Commissioner pointed out to the Appellant that as the Safe Harbour Scheme was a formal decision of the European Commission, it represented a binding determination as to the adequacy of protection for personal data transferred from the EU to the USA by companies self-certified in accordance with its principles. The Commissioner explained that the reason the Safe Harbour Scheme was binding was due to the provisions of Article 25(6) of the European Data Protection Directive (95/46/EC), (the “Data Protection Directive”) and Section 11(2) of the Irish Data Protection Acts, 1988 and 2003, (the “DP Acts”), which provide that where a question arises as regards whether an adequate level of protection is ensured by a country or territory outside the European Economic Area to which personal data are to be transferred, a finding of adequacy at a European level as regards the protection provided by that country is decisive. In light of these provisions and the terms of the Safe Harbour Scheme itself, the Commissioner concluded that it was not open to him to investigate the complaint made by the Appellant. The Appellant challenged the Commissioner’s refusal to investigate by way of judicial review proceedings in the High Court.

Decision of the Irish High Court

Judge Hogan held that while the Snowden revelations had extraordinary and potentially far-reaching implications for the privacy and data protection rights of European citizens, the Commissioner was, nonetheless, bound by decisions made at a European level, in the form of the Data Protection Directive and the terms of the Safe Harbour Scheme, in relation to international transfers of personal data by Irish or European companies to US companies registered under the Agreement.

However, Judge Hogan went on to question whether both the Data Protection Directive and Safe Harbour Scheme themselves need to be re-evaluated, in the wake of the Snowden revelations and the potential implications of those revelations for the privacy and data protection rights of European citizens. Judge Hogan reasoned that, in light of the entry into force of the European Charter of Fundamental Rights and, in particular, Articles 7 and 8 thereof, which afford individuals express rights to privacy and protection for their personal data, EU law may now actually require national data protection regulators to look behind formal findings made at a European level in relation to the adequacy of data protection provided by a third country, (in this case, the United States), where such findings are called into question by a credible complaint made to them.

As any such finding would have considerable implications for all 28 Member States of the European Union, Judge Hogan concluded that it was not open to him to determine the answer to this question. Accordingly, he referred the following question to the European Court of Justice for determination:

Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in Commission Decision of 26 July 2000 (2000/520/EC) having regard to Article 7, Article 8 and Article 47 of the Charter of Fundamental Rights of the European Union (2000/C 364/01), the provisions of Article 25(6) of Directive 95/46/EC notwithstanding? Or, alternatively, may the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission Decision was first published?

The request for a preliminary ruling was referred to the European Court on 17 July 2014, following the joinder of Digital Rights Ireland (an Irish digital rights body) as amicus curiae to provide assistance to the Court and the granting of a protective costs order to Mr Schrems, limiting the extent of his exposure to legal costs to €10,000.

European Commission Review

The European Commission has also proposed a review of the Safe Harbour Scheme. The Commission may decide to maintain, suspend or adapt Decision 2000/520/EC in the light of experience with its implementation and enforcement by the relevant US authorities.

The Commission has published the following 13 recommendations to improve the functioning of the Safe Harbour scheme and called on US authorities to identify remedies by summer 2014:

Transparency:

  • Companies self-certified under the Safe Harbour Scheme should publicly disclose their privacy policies.
  • Privacy policies should always include a link to the Department of Commerce Safe Harbour website which lists all the ‘current’ members of the scheme.
  • Self-certified companies should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services.
  • Companies that are not members of the Safe Harbour Scheme should be clearly identified on the website of the Department of Commerce all companies.

Redress:

  • Privacy Policies should include a link to the alternative dispute resolution provider.
  • Alternative Dispute Resolution should be readily available and affordable.
  • The Department of Commerce should regularly monitor Alternative Dispute Resolution providers.

Enforcement:

  • Following the certification or recertification of companies under Safe Harbour, a certain percentage of these companies should be subject to ex officio investigations of effective compliance with their privacy policies.
  • If there has been a finding of non-compliance following a complaint or an investigation, the relevant company should be subject to follow-up specific investigation after 1 year.
  • The Department of Commerce should inform the competent EU data protection authority in any case where there is doubt about a company’s compliance or there are complaints pending against the company.
  • False claims of Safe Harbour adherence should continue to be investigated

Access by US authorities:

  • Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour Scheme. In particular companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.
  • The national security exception foreseen by the Safe Harbour Decision should only be used to the extent that is strictly necessary or proportionate.
  • The Commission review on the functioning of the Safe Harbour Scheme will be based on the implementation of these 13 recommendations by the US authorities.

Commission’s Proposed Data Protection Regulation

On January 25, 2012, the Commission released proposed revisions to the EU data protection framework comprised of a General Data Protection Regulation (Regulation) and a Police and Criminal Justice Directive. Together they would repeal and replace Directive 95/46/EC. The Regulation is currently being negotiated. The Regulation’s final form and when it may be adopted are unclear. In particular, the European Parliament (Parliament) recently passed a vote on a compromise text that departs significantly from the Commission’s original draft.

If adopted, the Regulation would take direct effect in all 28 EU Member States and would significantly alter the current EU data protection framework. As initially proposed, notable changes include that:

  • The Commission would be able to make adequacy findings about territories or processing sectors in a country outside the EU.
  • Individual DPAs would be able to approve standard contractual clauses, in addition to the Commission-approved standard contractual clauses.
  • Binding Corporate Rules would be formally recognized.

Under Article 41(8) of the Regulation, adequacy decisions made under Articles 25(6) or 26(4) of Directive 95/46/EC, including the Safe Harbour Scheme, would remain in force unless amended, replaced or repealed by the Commission.

Under the Parliament’s compromise text, the Safe Harbour Scheme and other adequacy findings of the Commission would only remain in force for a period of five years after the adoption of the Regulation, unless amended, replaced or repealed by the Commission. The Parliament’s compromise text also proposes an additional transfer basis in the form of “European Data Protection Seals”, which would enable certified organizations to rely on privacy seals as an adequate basis for transfers outside of the EEA. Significantly, likely as a direct result of the PRISM revelations, the compromise text prohibits the disclosure of personal data as ordered by a court, tribunal or administrative authority of a country that is not deemed “adequate” by the Commission. Under this provision, if the US government were to request that a business (for example, a search engine, social network or cloud provider) disclose personal data processed in the EU, the business would be required to:

  • Notify the Data Protection Authority of the request without undue delay.
  • Obtain prior authorisation from the Data Protection Authority for the transfer.

In virtually every instance, this provision would prohibit organisations from complying with governmental orders (often subject to criminal penalties) to disclose personal data.

Leaked unofficial versions of the Council of the European Union’s compromise proposals indicate that the Safe Harbour Scheme and other adequacy findings of the Commission would remain in force unless amended, replaced or repealed by the Commission, and similarly include additional adequacy bases for transfers on grounds of approved codes of conduct and certification mechanisms.

Practical Implications for the Safe Harbour Regime

Notwithstanding the above developments, the Safe Harbour Scheme will continue to remain in force until specifically repealed or changed. In these circumstances, a guide to the operation of the Safe Harbour Scheme is set out below.

The Safe Harbour Scheme is not a general finding of adequacy in relation to the US, rather, it provides a mechanism whereby US companies can agree to adhere to a set of basic standards of data protection agreed between the European Commission and the US Government in Decision 2000/520/EC, which are broadly similar to the principles set out in the Data Protection Directive.

US organisations which sign up to and comply with the Safe Harbour Scheme are automatically authorised to accept data transfers from the EU without the need for individual approval or compliance with other legal or regulatory requirements. Failure to comply with the standards prescribed under the Safe Harbour Scheme can result in enforcement proceedings by the US Federal Trade Commission and direct action by affected individuals in the US courts.

In order to join the Safe Harbour Scheme, US companies must:

  • Comply with the requirements and publicly declare they do so;
  • Self-certify through the Safe Harbour website, or send a letter to the Department of Commerce announcing their intention to comply with the requirements.

A list of companies within the Safe Harbour Scheme is published on the website of the Federal Trade Commission (“FTC)”: Export.gov: Welcome to the US-EU & US-Swiss Safe Harbor Frameworks). In practice, fewer companies have signed up to the Scheme than was initially expected (only around 1,100 companies in eight years). In addition, US companies in certain sectors are automatically excluded from the Scheme, for example, financial services, transport and telecommunications.

The Scheme is enforced by the Federal Trade Commission (FTC), comparable US government agencies and/or individual states, depending on the industry sector. Under the US Federal Trade Commission Act, for example, a company’s failure to abide by commitments to implement the Scheme standards might be considered deceptive and actionable by the FTC. The FTC has the power to rectify these misrepresentations by seeking administrative orders and civil penalties of up to $12,000 a day for violations. Failure to comply with the standards can also result in direct action by affected individuals in the US courts.

Following the PRISM disclosures and the referral made to the European Court of Justice by the Irish High Court, there has been speculation that EU Data Protection Authorities may no longer recognize it as a valid data transfer mechanism.

However, National Data Protection Authorities have limited powers to suspend data transfers based on the Scheme. Article 3(1) of the Commission Decision 2000/520/EC identifies only the following limited circumstances in which EU DPAs may suspend a data transfer to a Safe Harbour-certified recipient:

  • There is a pending FTC enforcement action against the Safe Harbour-certified organization.
  • A substantial likelihood exists that the standards are being violated and:
    • there is a reasonable basis for believing that the Safe Harbour enforcement mechanisms are not taking or will
      not take adequate timely steps;
    • permitting the transfer to proceed would create imminent risk of grave harm; and
      the Data Protection Authority has made reasonable efforts to liaise with the Safe Harbour-certified organization.

Decision 2000/520/EC describes these circumstances as exceptional and states that any suspension of data flows must be justified “notwithstanding the finding of adequate protection.”

Notwithstanding the resolution of the German Data Protection Authority and the opinion of the Working Party, in April 2013 the Department of Commerce’s International Trade Administration (ITA) issued a guidance document where it confirmed the Safe Harbour Scheme as a legitimate transfer mechanism for cloud vendors. The ITA concluded that “[t]he existing Safe Harbor Privacy Principles are comprehensive and flexible enough to address the issues raised by the cloud computing model….”

More information on the operation of the Scheme is available at the following locations:

  • Guide to self-certification (Export.gov: Guide to Self-certification).
  • Certification workbook (Export.gov: Safe Harbor Workbook).
  • Compliance checklist (Export.gov: Checklists for Joining the Safe Harbor Frameworks).
  • Copies of all documents adopted by the EU and the US government which together make up the Safe Harbour Scheme (Export.gov: Safe Harbor Documents).


Top.