In the case C-362/14 Schrems “Safe Harbour” (“Schrems”) the Court of Justice of the European Union (the “ECJ”) held that the Commission’s Safe Harbour Decision of 2000/520/EC (26 July 2000) is invalid. Schrems was brought before the ECJ by the High Court of Ireland based on Mr Schrems’ complaint relating to Facebook data transfers to the United States.
Mr. Schrems claimed that the law and practice of the United States do not offer sufficient protection against automated surveillance based on the activities of the United States intelligence services in the light of Edward Snowden revelations made in 2013. In Schrems the ECJ holds that the Safe Harbour scheme enables interference with the fundamental rights of persons by the United States government authorities and does not ensure adequate level of protection for personal data. Schrems further confirms that, irrespective of the existence of a Commission decision, national data protection authorities (“DPAs”) must be able to independently examine, case-by-case, whether data transfers to a third country comply with the requirements pursuant to the Data Protection Directive (the “Directive”) and thus escalate the case ultimately before the ECJ to decide whether or not a Commission decision is valid.
Notwithstanding Schrems, both the ECJ and the Commission have confirmed their commitment to transatlantic data transfers also in the future, provided that such transfers comply with the fundamental rights of the data subjects. The need for legal certainty and predictability is recognized and, during the coming days, the Commission, Working Party 29 and DPAs are meeting to discuss and assess the implication of Schrems. Commissioner Vera Jourova confirms that the Commission will provide coordinated guidance to the national DPAs in the light of Schrems during the following weeks in order to avoid fragmented implementation of the ruling. The Commission may also provide contact points for assisting European businesses in their data transfers after Schrems.
Finnish companies transferring personal data to the United States by means of Safe Harbour (e.g. when using US cloud services and platforms) will be affected by Schrems. Subject to the upcoming Commission guidelines as well as any future guidance given by the Finnish Data Protection Ombudsman (“DPO”), a due diligence/review of data transfer and other service agreements as well as cloud arrangements may need to be completed. In its unofficial statement, the Finnish DPO has earlier already contested the whistleblowing schemes which may need to be further reviewed because of Schrems.
Notwithstanding Schrems, international data transfers to the United States may be conducted in accordance with other mechanisms available in the Directive, such as by using the Commission Standard Model Clauses or Binding Corporate Rules. In very narrow circumstances, data transfers may also be conducted for example on the basis of performance of a contract or subject to free and informed consent of the data subject.
The Commission is currently negotiating with the US authorities on a new Safe Harbour Agreement. However, questions of national security and data subjects’ fundamental rights still remain unresolved and consequently the schedule for reaching the new agreement with the US authorities remains open. Schrems may, however, provide political pressure to reach a consensus in the trilogy meeting on the EU Data Protection Reform and the Commission anticipates that the new regulation will be in place by the end of 2015.