The Impact of Schrems on Transatlantic Data Flows

Via Rerspecsys, Flickr Commons The Schrems judgment before the Court of Justice (ECJ) invalidated the safe harbour principle, which enabled companies to transfer personal data from the EU to the USA.  The decision highlights a shift from a perception of individual information as traded good, to a rights-based perspective valuing the autonomy of individuals as subjects of the law.  This judgment creates far-reaching and potentially insurmountable consequences for global transatlantic relations. As we analyse the repercussions of Schrems, we ask: does Schrems harken to state surveillance and thereby hold global implications on national regulation? Or instead does it specifically target US data protection practices, focusing on American companies that operate in a unique context where data protection and privacy receive less extensive safeguards than other countries?

Overview of Schrems v. Data Protection Commissioner

Max Schrems challenged the transfer of his personal data from the EU to the USA by claiming American protections “inadequate” under the Data Protection Directive (“DPD”) Article 25(1).  Article 25(6) DPD empowers the Commission to make decisions about the adequacy of third country protection. Schrems used the backdrop of the Snowden revelations and their slow (and arguably unsubstantial) systemic reforms to argue that the terms of the DPD were not met. The Irish regulator rebutted that it was acting merely in accordance with the safe harbour principle of Decision 2000/520. The Commission used its power to determine the adequacy of third country protection (under Article 25(6) DPD) with respect to commercial data flows, and the matter was referred to the ECJ. The ECJ ruled that, while it had the exclusive competence to declare Commission decisions invalid, a Commission decision under Article 25(6) does not prevent national regulatory authorities from reviewing adequacy and responding to complaints.  Referring to fundamental rights, the ECJ declared Decision 2000/520 invalid because: mass surveillance was a per se breach of privacy (Article 7 EU Charter [EUCFR]); there were inadequate enforcement mechanisms; and a lack of remedies for EU data subjects.  Personal data transfers to the US based on the safe harbour agreement now lack a legal basis. Companies are exposed to risks of fines and administrative penalties, consumer complaints and claims against companies processing in breach (plus the risk of reputational damage) and loss of EU business.

The Commission welcomed the ECJ’s judgment as a mandate for the negotiations for a ‘Safe Harbour II’ agreement.  The European Parliament suggested this should be done by the end of the year, while national Data Protection Authorities (DPA) have given the negotiators until 31 January 2016 to come up with a solution before starting enforcement.  This is a tight deadline and any new decision under Article 25(6) DPD will have to comply with the conditions that the ECJ set down in Schrems.  Reliance on EUCFR sets the matter at a higher level of principle than ‘just’ a directive. It is a shift from a legislative framework, in which law can be changed to achieve economic objectives, to a constitutional one, in which legislative choices are constrained by rights.  Future law within the EU (including the draft Data Protection Regulation, as well as external treaties such as TTIP or TiSA) must comply with the EUCFR as now understood.  Any such measures may be subject to challenge and it can now be seen that the ECJ has taken a broad and consistent approach to the appropriate level of protection: Schrems takes place as the latest in a series of cases on data protection (from Digital Rights Ireland onwards).

International Ramifications and Potential Legal Responses

Safe Harbour II negotiations take place against a backdrop of possible legal actions.  Each DPA may now challenge any such Commission decision, limiting the Commission’s freedom of negotiation.  The DPAs recent statement reaffirmed the DPA’s right to investigate.  While some DPAs (such as the British Information Commissioner’s Office) may be quite relaxed about the level of protection, others – such as Schleswig-Holstein - seem keener to take action. As Schrems returned to the Irish High Court, Hogan J held that the DPA had an independent duty to investigate irrespective of any EU / US political developments that may or may not happen.  In sum, the period of grace provided by the Article 29 Working Party cannot be guaranteed, and certainly cannot continue over a period defined by the successful conclusion of safe harbour negotiations. This is especially so since the decentralisation of the power of review goes further than DPAs, including individuals – a point re-affirmed in Schrems.  DPAs potentially face citizenry pressure to take action.   Beyond that, the European Parliament has threatened action: either formal legal action for a failure to act (Article 265 TFEU), or “to place certain budgetary resources for the Commission in a reserve until all recommendations have been properly addressed” (EP Press Release, 13 October 2015).  While those in Silicon Valley may turn to technology as a response to surveillance and security issues, it seems that the European response turns to the law.

As the Schleswig-Holstein DPA noted, the judgment effectively requires far-reaching changes in US domestic law.  Although surveillance is not outlawed by the ECJ ruling, it must be targeted and proportionate.  This may be frustrating from a US perspective: similar surveillance acts among EU member states (the UK’s RIPA and DRIPA, in particular) call into question whether EU protections are more theoretical than actual. Of course, these too may be subject to challenge. That said, the judiciaries of EU member states have recently begun to realize the potential hypocrisy and crack down on mass surveillance (e.g. (Davis & Ors, R.) v. Secretary of State for the Home Department [2015] EWHC 2092).

The concern about levels of protection has spread beyond the EU too, both independently (such as the Japanese amendment to its data protection rules) but also in direct response to Schrems.  For example, Israel has suspended its safe harbour arrangements with the US – presumably to safeguard its own position as ‘safe’ vis a vis the EU.

While attention has concentrated on mass surveillance, the ECJ identified two other issues: redress and enforcement.  According to the evidence before the ECJ, the activities of the NSA were not subject to any form of control or review; therefore, systems of enforcement were deemed deficient.  The problem of enforcement may extend beyond the activities of the state.  The safe harbour system’s reliance on self-certification further shows that enforcement issues extend beyond the activities of the state.  Commission studies found that some companies let their certifications lapse while others had not even bothered in the first place.[1] This state of affairs hardly suggests effective oversight.  So, while the ECJ expressly stated ‘a system of self-certification is not in itself contrary’ to the principles of ensuring protection, ‘the establishment of effective detection and supervision mechanisms’ are required (para 81). In its approach to invalidating the safe harbour decision, the ECJ avoids answering any questions about whether the existing mechanisms are sufficient.  Instead, the Court by focusses on the fact that the Commission did not verify whether these mechanisms were adequate.  The Court’s reasoning turns on the Commission’s actions (or omissions) rather than on the adequacy of the American oversight system itself. This question then remains unanswered.  The final point relates to rights of redress; as the Commission discovered the levels of protection awarded to EU citizens were inadequate.

So what of transfers in the immediate future?  There are other routes that legitimate transatlantic data transfers listed in Article 26(2) DPD, such as Binding Corporate Rules (suitable for intra group transfers) and model contracts (clauses covering data transfers in approved terms) (see COM (2015) 566 final).  Both face difficulties related to comprehensiveness of scope and the effort involved in implementation, though a number of companies (e.g. Microsoft) have been successful. More fundamentally, the logic of Schrems applies to them, so they too are open to challenge. The Commission cannot protect the security of these alternate methods, chiefly because the ECJ perceives American legal framework as inherently flawed. Other methods for cross-border data transfer are similarly problematic.  Notably, while an individual can consent to processing in a country without adequate levels of protection, such consent must be clearly shown and the data subject must be informed of all the risks, which are difficult for businesses to predict.  Further, this consent may be revoked at any point, heightening the onus and insecurity for businesses.

Conclusion

There are no guaranteed quick fixes.  Even if DPAs do not act, businesses face considerable uncertainty and risk legal exposure. EU businesses, therefore, have significant incentives to confine data within EU borders, even if short-term rearrangements may prove inconvenient. The EU market may consequently receive a considerable stimulus, though EU businesses have typically struggled to develop into large enterprises in this sector. This may be because of the fragmented nature of the EU market.  Non-EU companies operating in the EU may seek to establish outposts in the EU, or shift more responsibility to existing bases within the EU. While this adaptation may be possible for multinationals, (indeed many larger corporations already have a significant EU presence) it will be more of a problem for smaller companies and start-ups.  Both governments will be under pressure to come up with Safe Harbour II, but the US faces a more existential dilemma: it will have to introduce fundamental legislative change, or hope the EU does not develop its own silicon valleys, and begin to trade digitally on a reputation that champions the data protection gold standard.

[1] I.e. (COM (2013) 846, COM (2013) 847), and ECJ recognition of (para 21)