On October 6, 2015 the Court of Justice of the European Union (CJEU) released a bombshell, but not completely unexpected judgment, invalidating a decision of the European Commission that underpinned the EU-US privacy safe harbor. In Schrems v. Data Protection Commissioner  EUECJ C-362/14 (06 October 2015), the CJEU held that supervisory data authorities in Member States have the joint right with the EU Commission to review whether non-EU countries provide adequate protection to personal data transferred to them from the EU despite a decision by the EU Commission that such protection is provided. It also invalided Commission Decision 2000/520 which had found that transfers of personal data to the US from the EU provided adequate protection where the recipient complied with the EU-US Safe Harbour Principles.
The implications of the CJEU’s judgment in Schrems to Canadian’s must not be underestimated. It directly impacts Canadian multinationals which have relied on the safe harbor to transfer data from their EU to US operations, Canadian businesses that host EU data with service providers with operations in the US or who outsource services to US service providers for customers resident in the EU. The implications of the judgment potentially apply to undermine every other mechanism the EU’s data protection laws have sanctioned to transfer personal data to the US. This includes the standard contractual clauses, business corporate rules, and the European Commission’s decision that Canada’s federal data protection laws, PIPEDA, adequately protect EU personal data. The judgment may even provide a basis for EU residents to sue data recipients for data that has been transferred to the US using the EU sanctioned contractual clauses.
Multinational businesses routinely transfer data from the EU to the US. Household names like Facebook, Google, Apple, Microsoft and approximately 4500 other multinational businesses did so relying on a safe harbour mechanism put in place under EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Directive laid down rules on the transfer of personal data to third countries.
Under Art. 25(1) the transfer of personal data can take place only if the third country ensures an adequate level of protection of such data. Under Art. 25(6), in accordance with the procedure referred to in Article 31(2), the EU Commission may find that a third country ensures an adequate level of protection of personal data by reason of its domestic law or of the international commitments it has entered into. If the EU Commission adopts a decision to that effect, the transfer of personal data to the third country concerned may take place. Also, Member States are required to take the measures necessary to comply with a EU Commission’s decision.
The EU Commission adopted Decision 2000/520 pursuant to Art. 25(6). Under the Decision, if the safe harbour privacy principles are implemented, the processes are considered to ensure an adequate level of protection for personal data transferred from the EU to undertakings established in the US. The effect of Decision 2000/520 is to authorize the transfer of personal data from EU Member States to entities in the US which have undertaken to comply with the safe harbour principles.
As required, the Directive and Decision were implemented in Member States. For example, in Ireland, Section 11(1) of the Data Protection Act sets out a general prohibition on the transfer of personal data outside of Ireland except where the foreign state ensures an adequate level of protection for the privacy of data subjects. It also contains a sub-section which allows for the pre-emption of Irish law by EU law where a Community finding as to the adequacy of data protection in the third country has been made by the EU Commission. Under Section 11(2)(a), in any proceedings under the Act if a question arises about whether an adequate level of protection exists in a country outside of the EU to which data is transferred, if a Community finding (a determination under Art. 25(6) under the procedure set out in Art. 31(2)), has been made in relation to transfers of the kind in question, the question shall be determined in accordance with that finding. This process, therefore, enabled Irish based undertakings such as Facebook Ireland to transfer data of EU residents to Facebook Inc. in the US.
The Irish High Court Decision
Following the revelations about US surveillance by Edward Snowden, an Austrian resident Max Schrems complained to the Irish data Commissioner about the transfers. The Commissioner determined that although there was generally power to investigate complaints about transfers of data outside of Ireland to territories that don’t have adequate data protection laws, the Commissioner couldn’t act because, among other things, the Commissioner did not have the authority to challenge the finding of adequacy by the EU Commission in Decision 2000/520.
The Irish Commissioner’s decision was appealed to the Irish High Court. The court in Schrems v Data Protection Commissioner  IEHC 310 (18 June 2014), questioned whether the Directive and the EU Commissioner’s Decision needed to be re-evaluated in the light of the EU Charter of Fundamental Rights and whether the Commissioner could look beyond or otherwise disregard the Community finding.
The court reviewed information about the US PRISM program and noted that while “there may be some dispute regarding the scope and extent of some of these programmes” “in the wake of the Snowden revelations, the available evidence presently admits of no other realistic conclusion” other than that “personal data transferred by companies such as Facebook Ireland to its parent company in the United States is…capable of being accessed by the NSA in the course of a mass and indiscriminate surveillance of such data.”
The court also noted that many of the activities of the NSA are subject to the supervision of the FISA court. However, it was skeptical that oversight by the FISA court provided sufficient guarantees that non-US data subjects “enjoy effective data protection rights in that jurisdiction so far as generalised and mass State surveillance of interception of communications is concerned.” “The Snowden revelations demonstrate – almost beyond peradventure – that the US security services can routinely access the personal data of European citizens which has been so transferred to the United States and, in these circumstances, one may fairly question whether US law and practice in relation to data protection and State security provides for meaningful or effective judicial or legal control.”
The Court went on to assess whether, on the basis of the evidence before it transfers of data to the US under the safe harbour would comply with Irish and EU data protection laws. Justice Hogan, expressed the opinion that it would be difficult to see how such transfers could comply with the Irish constitutional protections for privacy, that the potential for abuse “would be enormous”, and that, if permitted to do so, “this would indeed have been a matter which the Commissioner would have been obliged further to investigate”. As the validity of the safe harbour regime was not challenged in the judicial review proceedings, the court did not have to express any final decisions on whether the Commission Decision was valid. The court nevertheless questioned whether it was, going even further to find that ”it is not immediately apparent how the present operation of the Safe Harbour Regime can in practice satisfy the requirements of Article 8(1) and Article 8(3) of the Charter”.
Based on these findings, the High Court referred a question to the CJEU asking whether a data protection authority is bound by the EU Commission’s findings of adequacy with respect to data transferred to the US under the safe harbour regime.
Advocate General Opinion
Two weeks before the judgment of the CJEU was delivered, Advocate General Bot delivered an Opinion in the case. The AG rendered two important opinions which were largely followed by the CJEU in the Schrems judgment.
First, the AG addressed the effect to be given to a Commission decision of adequacy and whether such decision could be challenged by supervisor authorities in Member States. According to the AG, where the Commission finds that a third country ensures an adequate level of protection within the meaning of Art.25(2), the Member States must take the necessary measures to comply with the Commission’s decision. The effect of the decision is to allow transfers of personal data to a third country whose level of protection is considered adequate by the Commission. A Commission decision ensures uniformity in the transfer conditions applicable in the Member States.
However, that uniformity can continue only while that finding is not called into question. The finding can be called into question by either the Commission or the supervisory authority of Members States. The competence to make a finding of adequacy is shared and may be made either by the Commission or by the Member State, although their jurisdiction is not completely equal.
A supervisory authority has the power to block particular transfers of personal data to countries such as the US where it finds that such transfers do not comply with data protection laws. However, only the CJEU has the jurisdiction to invalidate a decision such as the Decision declaring the safe harbour regime to provide adequate legal protection. “In the absence of a declaration of invalidity, amendment or repeal by the Commission, the decision remains binding in its entirety and directly applicable in all Member States.”
Second, the AG addressed whether Decision 2000/520 was valid. The AG expressed the opinion that the Decision invalid based on “the current factual and legal context”.
The question of “adequacy” is to be determined based on whether the non-EU territory “offers a level of protection that is essentially equivalent to that afforded by the directive, even though the manner in which that protection is implemented may differ from that generally encountered within the European Union.” According to the AG, the safe harbour regime could not meet this standard because:
- The revelations concerning the activities of the NSA. “Under the regime, ‘[a]dherence to [the Safe Harbour] Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case-law that create conflicting obligations or explicit authorisations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation’.” The derogations are not limited to what is strictly necessary.
- The safe harbour regime lacked adequate guarantees and a sufficient control mechanism. EU law relies on an external control mechanism in the form of an independent authority to ensure compliance with the rules on the protection of personal data. “The law and practice of the United States allow the large-scale collection of the personal data of citizens of the Union which is transferred under the safe harbour scheme, without those citizens benefiting from effective judicial protection.” “[C]itizens of the Union have no appropriate remedy against the processing of their personal data for purposes other than those for which it was initially collected and then transferred to the United States.”
- EU citizens have no effective right to be heard on the question of the surveillance and interception of their data. There is oversight on the part of the FISC, but the proceedings before it are secret and ex parte. That amounts to an interference with the right of citizens of the Union to an effective remedy, protected by Article 47 of the Charter.
- The claim that US surveillance interfered with the fundamental rights protected by Articles 7, 8 and 47 of the EU Charter which is permitted by the derogations from the safe harbour principles, set out in the fourth paragraph of Annex I to Decision 2000/520, was “made out”.
- The interference with EU citizen’s privacy rights could not be justified. Further, the exceptions were too generally stated and did not “pursue an objective of general interest defined with sufficient precision.”
- The interference with fundamental rights was not proportionate. The “access which the United States intelligence authorities may have to the personal data transferred covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred, including the content of the communications, without any differentiation, limitation or exception according to the objective of general interest pursued.” “Indeed, the access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security.” “Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter.”
- The private dispute resolution mechanisms and the FTC, owing to its role limited to commercial disputes, was not a means of challenging access by the United States intelligence services to personal data transferred from the European Union. The FTC does not have the power to monitor possible breaches of principles for the protection of personal data by public actors such as the United States security agencies.
- The US FISA court does not offer an effective judicial remedy to citizens of the EU whose personal data is transferred to the United States. “The protection against surveillance by government services provided for in section 702 of the Foreign Intelligence Surveillance Act of 1978 applies only to United States citizens and to foreign citizens legally resident on a permanent basis in the United States.”
- There are no opportunities for citizens of the EU to obtain access to or rectification or erasure of data, or administrative or judicial redress with regard to collection and further processing of their personal data taking place under the United States surveillance programmes.
The AG concluded that by “adopting Decision 2000/520 and then maintaining it in force, the Commission exceeded the limits imposed by compliance with the principle of proportionality in the light of Articles 7, 8 and 52(1) of the Charter. To that must be added the finding of an unwarranted interference with the right of citizens of the Union to an effective remedy as protected by Article 47 of the Charter.” According to the AG, the Commission should have taken steps on its own initiative to have set aside the Decision. Having not done so, the AG stated that the Decision should be declared invalid “since, owing to the breaches of fundamental rights described above, the safe harbour scheme which it establishes cannot be regarded as ensuring an adequate level of protection of the personal data transferred from the European Union to the United States under that scheme.”
Decision of CJEU
The CJEU addressed the same two issues considered by the AG.
On the first issue, the CJEU reiterated the opinion of the AG that only the CJEU has the jurisdiction to set aside a decision of the EU Commission under Art 25(6). Until the decision is either revoked by the Commission or set aside by the CJEU, it remains binding on Member States. Thus, until such an event occurs, transfers of personal data to the US under the safe harbour regime legally complies with the prohibition against transfers of personal data to jurisdictions which do not provide the required level of protection.
The CJEU also agreed with the AG that the supervisory authority has the right to examine any finding of adequacy in considering whether to block particular transfers of personal data upon a complaint being lodged by an individual.
The CJEU then embarked on an analysis of whether Decision 2000/520 was compatible with EU law including the Charter protections individuals have with respect to privacy and the processing of their data. It concluded, as the AG had, that it did not and ruled it invalid.
The CJEU judgment confirmed that whether the laws of a non-EU state are “adequate” has to be assessed based on “the protection of the private lives and basic freedoms and rights of individuals”. The term “adequate level of protection” must be understood as requiring the third country in fact to ensure, at all relevant times, “that by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter.”
The CJEU found the following aspects of the safe harbour regime to be incompatible with EU law:
- The safe harbour principles “may be limited ‘to the extent necessary to meet national security, public interest, or law enforcement requirements’ and ‘by statute, government regulation, or case-law that create conflicting obligations or explicit authorisations, provided that, in exercising any such authorisation, an organisation can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorisation’.” US organizations are required to comply with to US laws. In doing so, they are bound to disregard the other safe harbour principles where they conflict with those requirements and therefore prove incompatible with them. The Decision “thus enables interference, founded on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States.” The Decision made no finding of any limitations in US law intended to limit such activities.
- The CJEU relied on a prior 2013 Commission document (Communication COM(2013) 847 final) which it treated as providing an evidentiary basis establishing that “the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security” and “that the data subjects had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.”
- Under EU law, derogations and limitations in relation to the protection of personal data apply only in so far as is strictly necessary. “Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail.” “Legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter”.
- The Decision did not contain sufficient findings regarding the measures by which the US ensures an adequate level of protection. The Commission also did not state in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments.
- The safe harbour protections applied only to the self-certifying organizations and not US public authorities.
- The private dispute resolution mechanisms concern compliance by the United States undertakings with the safe harbour principles and cannot be applied in disputes relating to the legality of interference with fundamental rights that results from measures originating from the US government.
- Further, under EU law, “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter. The first paragraph of Article 47 of the Charter requires everyone whose rights and freedoms guaranteed by the law of the European Union are violated to have the right to an effective remedy before a tribunal in compliance with the conditions laid down in that article.”
Implications of the Schrems Judgment
The full implications of the proceedings involving Schrems are not known. However, its effects on the legality of transfers of personal data from the EU to the US range from those that are immediate, to those that could manifest over time.
Personal data cannot be transferred from the EU to the US unless the US ensures an adequate level of protection for such personal data, as that phrase has been interpreted by the CJEU. Prior to the judgment of the CJEU, personal data could be transferred to the US under the safe harbour principles, or using the contractual clauses or binding corporate rules, procedures authorized by the EC Directive, or by relying on an exception or other derogation set out in the EC Directive, or by obtaining express authorization for the transfer from a data protection authority.
Transfers of personal data to Canada are on a similar footing, except that instead of a safe harbour regime, the EU Commission rendered another decision finding that Canada’s federal privacy legislation, PIPEDA, ensures an adequate level of protection for such personal data. Similar findings were made about the laws of other countries including Argentina, Israel, New Zealand, Uruguay, and Switzerland.
The judgment in Schrems impacts, or potentially impacts, each of these methods of transferring personal data outside of the EU.
Transfers of personal data to the US under the safe harbour
The first direct casualty of the judgment is the EU-US safe harbour regime. The cornerstone of the regime was the “blessing” by the EU Commission that compliance with the safe harbour principles guaranteed an adequate level of protection necessary to comply with the data protection laws of Member States. It also provided comfort that the supervisory authorities could not challenge the adequacy of that finding.
It is now clear from the CJEU judgment that supervisory authorities have the jurisdiction to challenge particular transfers of data in response to a complaint. Accordingly, transfers of personal data can be challenged by data protection authorities on that basis alone.
The more nuanced question is whether businesses can continue to follow the safe harbour regime and hope that it will be regarded as providing adequate protection notwithstanding the judgment of the CJEU, or at least rely on it until a data protection authority decides to block transfers based on a complaint. Many commentators have concluded that the result of the judgment is to completely undo the safe harbor making compliance with it irrelevant.
The actual effect of the judgment is theoretically more nuanced because of the different ways Member States implemented the EU Directive. This requires almost a country by country analysis to determine the full implications of the judgment across the EU.
For example, in some countries, the transfer of personal data out of the EU is strictly prohibited unless there has been a finding of adequacy by the EU Commission. In these countries, the judgment of the CJEU undermines the legal basis for transfer of personal data to the US in reliance of the EU-US safe harbour. In other countries, a data protection authority may have expressly approved transfers of data to the US. The effect of the Schrems judgments on those approvals will vary from country to country, depending on the legal regime and the steps the data protection authority takes.
The situation may be different in other countries where transfers of personal data are permitted without express authorization. Here the data controller has the burden of establishing that transfers are effected in a manner that ensures an adequate level of protection. In these countries whether continued transfers can be made in reliance on the safe harbor may depend on whether the reasons of the CJEU could be overcome in a subsequent proceeding before supervisory authorities. It has been argued that the CJEU’s judgment was based, in large part, on deficiencies in the findings of the EU Commission about the safe harbour framework, but that the court did not find, as a matter of law, that the US lacked the protections required by EU law. Further, that the CJEU did not actually examine the US surveillance programs or the legal basis for those programs, or didn’t understand how Section 702 of FISA actually operated or recognize that the surveillance activities were carried out lawfully, and relied on the outdated and inaccurate 2013 highly critical EU Commission report.
Overcoming the judgment of the CJEU (and the findings of the High Court of Ireland and the opinion of the Advocate General in the Schrems proceedings) would likely be a real uphill battle.
- First, it is debatable that even if the scope of the PRISM program is properly understood, it would satisfy the standards for privacy and data protection the CJEU lays out in Schrems as the program select targets who are non-U.S. persons located outside the United States on the basis of very broad criteria. The interference with EU citizen’s privacy rights would have to be based on the principle of “strict necessity”.
- Second, it would have to be established that the PRISM program contains a dispute resolution process that provides a judicial means of redress, rectification or erasure of such data that applies to the US government.
- Third, it would likely have to be shown that the 2013 Commission document (Communication COM(2013) 847 final) was incorrect at the time of its issuance, or is no longer accurate.
- Fourth, there might be a question as to the extent to which the judgment is binding on supervisory authorities or lower courts. The CJEU made an express finding that US organizations are required to comply with to US laws and that in doing so, “they are bound to disregard the other safe harbour principles where they conflict with those requirements and therefore prove incompatible with them.” Further, under Art. 25(6) of the Directive, in certain situations where the EU Commission makes a finding that a third country does not ensure an adequate level of protection Member States are required to take the measures necessary to prevent any transfer of data of the same type to the third country in question. There would be questions as to whether the judgment constitutes such a finding and whether data protection authorities’ independent mandates give them the right to make findings that are different from those of the EU Commission.
In any event, transfers of personal data from the EU to the US would be particularly risky given the reasons of the CJEU in the Schrems judgment. Moreover, the Article 29 Working Party has issued a statement regarding the effect of the Schrems judgment.
Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”). In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful.
Given that this is a joint statement by data protection authorities which enforce data protection laws in Members States, their views must be given considerable weight.
Transfers of personal data using the standard contractual clauses or binding corporate rules
The Council and the European Parliament gave the EU Commission the power to decide, on the basis of Art. 26(4) of directive 95/46/EC, that certain standard contractual clauses offer sufficient safeguards as required by Art. 26(2). The Commission has so far issued two sets of standard contractual clauses for transfers from data controllers to data controllers established outside the EU/EEA and one set for the transfer to processors established outside the EU/EEA.
The uses of these clauses may become problematic as a result of the Schrems judgment.
- Schrems makes it clear that supervisory authorities may still look behind the EU Commission’s findings of adequacy. Presumably, this would apply to a complaint to a supervisory authority that the contractual clauses are not effective to comply with EU data protection laws. A German data protection authority has already issued a position paper to declare the contractual clauses and even express consents to be an invalid way of transferring data to the US. Other German authorities have taken a similar position. However, on October 16, 2015, the Article 29 Working Party issued a statement that while the Working Party is continuing its analysis on the impact of the CJEU judgment on transfer tools, “data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used”. However, they note that “this will not prevent data protection authorities to investigate particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals”.
- On the basis of Schrems, it is likely that the contractual clauses framework could not be invalidated by supervisory authorities. However, they could be invalidated by the CJEU or revoked by the EU Commission based on the judgment in Schrems. For example:
- the clauses contain only a limited basis for supervisory authorities to exercise their existing powers to block data transfers out of the EU. The CJEU judgment found a similar limitation in the EU-US safe harbour to be one of the two basis to invalidate that safe harbour;
- the clauses contemplate that disclosures will have to be made to comply with national laws including national security, defense, and public security purposes; while the contemplated disclosures are worded differently than those set out in the EU-US safe harbour principles and are intended to be limited to what is necessary in a democratic society, the data importers in the US would have to comply with US laws, laws which the CJEU in its judgment found to be problematic; and
- the clauses give data subjects remedies against the data exporter and the data importer, but provide no means of redress against governments such as the US government.
- Under the contractual clauses, the data exporter and data importer make agreements and warranties with respect to the transfers and uses of the data by the data importer. They are jointly and severally liable including to data subjects who are express beneficiaries of many of the commitments. In light of the judgment of the CJEU it is unclear if these agreements and warranties can be entered into or complied with without breaching them and incurring direct liability to data subjects in Member States.
Similar considerations would apply to the Binding Corporate rules. Binding Corporate Rules (BCRs) are internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection. They are used by multinational companies in order to adduce adequate safeguards for the protection of the privacy and fundamental rights and freedoms of individuals within the meaning of article 26 (2) of the Directive 95/46/CE for all transfers of personal data protected under a European law.
There are practical problems in using BCRs. For example, the rules must be approved under a EU cooperation procedure. This can take over a year to put in place.
Transfers of personal data under other EC adequacy decisions such as PIPEDA
In 2001, the EU Commission issued 2002/2/EC: Commission Decision of 20 December 2001 finding that Canada’s federal privacy law, PIPEDA, is considered as providing an adequate level of protection for personal data transferred from the EU to Canada. Similar findings were made about the laws of other countries including Argentina, Israel, New Zealand, Uruguay, and Switzerland.
The reliance on these decisions may also become problematic as a result of the Schrems judgment. For example, and with reference to PIPEDA:
- As noted above, Schrems makes it clear that supervisory authorities may still look behind the EU Commission’s findings of adequacy. Presumably, this would apply to a complaint to a supervisory authority alleging that PIPEDA is not effective, in fact, to provide an adequate level of protection to comply with EU data protection laws.
- On the basis of Schrems, it is likely that the EU Commission decision regarding PIPEDA could not be invalidated by supervisory authorities. However, the decision could be invalidated by the CJEU or revoked by the EU Commission based on the reasons set out in the Schrems judgment. For example:
- the decision contains only a limited basis for supervisory authorities to exercise their existing powers to block data transfers out of the EU to Canadian recipients. The CJEU judgment found a similar limitation in the EU-US safe harbour to be one of the two basis to invalidate that safe harbour;
- PIPEDA contains exemptions which permit disclosure of personal information for a variety of purposes including as required to comply with “a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records”; or “made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that, inter alia, it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs”. The EU Commission made no express findings that such disclosures are consistent with the specific purposes and proportionality principles under EU law or that Canada’s security agencies’ exercise of such powers provide for adequate protection of the personal information of EU residents. It is also always open to challenge the use of the exemptions based on current circumstances in Canada.
- PIPEDA applies to Canadian organizations and provides no means of redress against the government for misuse of EU personal data.
What’s Next and Options
Canadian businesses with operations in the EU and the US have a number of bad choices. However, they are not alone. Given the approximately 4500 entities that relied on the safe harbour, there is some comfort in the numbers affected, at least in the short term.
The EU Article 29 Working Party released a joint statement on October 16, 2015 to provide guidance on the CJEU judgment. In it they expressed the view that the EU-US safe harbour can no longer be relied upon and that the standard contractual clauses and BCRs can be used, at least until they complete their analysis of the judgment. They warn, however, that they will commence enforcement actions by the end of January 2016 if no solution is found with the US authorities by that time.
Following the landmark ruling of the Court of Justice of the European Union (CJEU) of 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362-14), the EU data protection authorities assembled in the Article 29 Working Party have discussed the first consequences to be drawn at European and national level. EU data protection authorities consider that it is absolutely essential to have a robust, collective and common position on the implementation of the judgment. Moreover, the Working Party will observe closely the developments of the pending procedures before the Irish High Court.
First, the Working Party underlines that the question of massive and indiscriminate surveillance is a key element of the Court’s analysis. It recalls that it has consistently stated that such surveillance is incompatible with the EU legal framework and that existing transfer tools are not the solution to this issue. Furthermore, as already stated, transfers to third countries where the powers of state authorities to access information go beyond what is necessary in a democratic society will not be considered as safe destinations for transfers. In this regard, the Court’s judgment requires that any adequacy decision implies a broad analysis of the third country domestic laws and international commitments.
Therefore, the Working Party is urgently calling on the Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights. Such solutions could be found through the negotiations of an intergovernmental agreement providing stronger guarantees to EU data subjects. The current negotiations around a new Safe Harbour could be a part of the solution. In any case, these solutions should always be assisted by clear and binding mechanisms and include at least obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights.
In the meantime, the Working Party will continue its analysis on the impact of the CJEU judgment on other transfer tools. During this period, data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used. In any case, this will not prevent data protection authorities to investigate particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals.
If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.
Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”). In any case, transfers that are still taking place under the Safe harbour decision after the CJEU judgment are unlawful…
In conclusion, the Working Party insists on the shared responsibilities between data protection authorities, EU institutions, Member States and businesses to find sustainable solutions to implement the Court’s judgment. In particular, in the context of the judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis. (highlighting omitted)
The EU and US were also reportedly close to finalizing an Umbrella Agreement to provide a proper and wide framework of protection for all the data exchanges among EU and US in the field of criminal law enforcement.
Those companies that rely on the EU-US safe harbour need to consider other options including using the standard contractual clauses or the BCRs. They should also consider conducting their own risk assessments to determine if their data handling processes, or those that are available such as encryption of data before transfer to the US, can assure an adequate level of protection. Consideration also needs to be given to the country or countries from which data is to be transferred. In some countries, for example, specific permits or authorizations might be granted so as to permit specific transfers of personal data. There is also a need to examine the basis under which their service providers transfer data from the EU to the US. Canadian businesses that import data from the EU directly to Canada currently are in a better position as they can continue to rely on Commission Decision of 20 December, at least for now.
*Updated Oct 16, 2015
 The Court stated: “It would seem, however, that the FISA Court’s hearing are entirely conducted in secret, so that even the court orders and its jurisprudence remain a closed book. The US security authorities are, in effect, the only parties who are or who can be heard in respect of such applications before the FISA Court. One of the striking features of the Snowden revelations was the disclosure of (hitherto secret) orders of the FISA Court which effectively required major telecommunication companies to make disclosure of daily telephone call records on a vast and undifferentiated scale, while the company in question was itself prevented from disclosing the existence or the nature of the order. Yet the essentially secret and ex parte nature of the FISA Court’s activities makes an independent assessment of its orders and jurisprudence all but impossible. This is another factor which must – to some degree, at least – cast a shadow over the extent to which non-US data subjects enjoy effective data protection rights in that jurisdiction so far as generalised and mass State surveillance of interception of communications is concerned.”
 According to the High Court:
“In this regard, it is very difficult to see how the mass and undifferentiated accessing by State authorities of personal data generated perhaps especially within the home – such as e-mails, text messages, internet usage and telephone calls – would pass any proportionality test or could survive constitutional scrutiny on this ground alone. The potential for abuse in such cases would be enormous and might even give rise to the possibility that no facet of private or domestic life within the home would be immune from potential State scrutiny and observation.
Such a state of affairs – with its gloomy echoes of the mass state surveillance programmes conducted in totalitarian states such as the German Democratic Republic of Ulbricht and Honecker – would be totally at odds with the basic premises and fundamental values of the Constitution…
That general protection for privacy, person and security in Article 40.5 would thus be entirely compromised by the mass and undifferentiated surveillance by State authorities of conversations and communications which take place within the home. For such interception of communications of this nature to be constitutionally valid, it would, accordingly, be necessary to demonstrate that this interception of communications and the surveillance of individuals or groups of individuals was objectively justified in the interests of the suppression of crime and national security and, further, that any such interception was attended by appropriate and verifiable safeguards.
If this matter were entirely governed by Irish law, then, measured by these constitutional standards, a significant issue would arise as to whether the United States “ensures an adequate level of protection for the privacy and the fundamental rights and freedoms” of data subjects, such as would permit data transfers to that country having regard to the general prohibition contained in s. 11(1) of the 1988 Act and the constitutional principles I have just set out. Certainly, given what I have already described as the (apparently) limited protection given to data subjects by contemporary US law and practice so far as State surveillance is concerned, this would indeed have been a matter which the Commissioner would have been obliged further to investigate.”
 According to the High Court:
“Judged by these standards, it is not immediately apparent how the present operation of the Safe Harbour Regime can in practice satisfy the requirements of Article 8(1) and Article 8(3) of the Charter, especially having regard to the principles articulated by the Court of Justice in Digital Rights Ireland. Under this self-certification regime, personal data is transferred to the United States where, as we have seen, it can be accessed on a mass and undifferentiated basis by the security authorities. While the FISA Court doubtless does good work, the FISA system can at best be described as a form of oversight by judicial personages in respect of applications for surveillance by the US security authorities. Yet the very fact that this oversight is not carried out on European soil and in circumstances where the data subject has no effective possibility of being heard or making submissions and, further, where any such review is not carried out by reference to EU law are all considerations which would seem to pose considerable legal difficulties. It must be stressed, however, that neither the validity of the 1995 Directive nor the Commission Decision providing for the Safe Harbour Regime are, as such, under challenge in these judicial review proceedings.”
“The Safe Harbour Regime was, of course, not only drafted before the Charter came into force, but its terms may also reflect a somewhat more innocent age in terms of data protection. This Regime also came into force prior to the advent of social media and, of course, before the massive terrorist attacks on American soil which took place on September 11th, 2001. Outrages of this kind – sadly duplicated afterwards in Madrid, London and elsewhere – highlighted to many why, subject to the appropriate and necessary safeguards, intelligence services needed as a matter of practical necessity to have access to global telecommunications systems in order to disrupt the planning of such attacks.”
 The question referred to the CJEU was framed as follows:
“Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in Commission Decision of 26 July 2000 (2000/520/EC) having regard to Article 7 and Article 8 of the Charter of Fundamental Rights of the European Union (2000/C 364/01), the provisions of Article 25(6) of Directive 95/46/EC notwithstanding? Or, alternatively, may the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission Decision was first published?”
 According to the AG:
Article 28 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that the existence of a decision adopted by the European Commission on the basis of Article 25(6) of Directive 95/46 does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data.
 According to the CJEU:
In order to control transfers of personal data to third countries according to the level of protection accorded to it in each of those countries, Article 25 of Directive 95/46 imposes a series of obligations on the Member States and the Commission. It is apparent, in particular, from that article that the finding that a third country does or does not ensure an adequate level of protection may, as the Advocate General has observed in point 86 of his Opinion, be made either by the Member States or by the Commission.
The Commission may adopt, on the basis of Article 25(6) of Directive 95/46, a decision finding that a third country ensures an adequate level of protection. In accordance with the second subparagraph of that provision, such a decision is addressed to the Member States, who must take the measures necessary to comply with it. Pursuant to the fourth paragraph of Article 288 TFEU, it is binding on all the Member States to which it is addressed and is therefore binding on all their organs (see, to this effect, judgments in Albako Margarinefabrik, 249/85, EU:C:1987:245, paragraph 17, and Mediaset, C‑69/13, EU:C:2014:71, paragraph 23) in so far as it has the effect of authorising transfers of personal data from the Member States to the third country covered by it.
Thus, until such time as the Commission decision is declared invalid by the Court, the Member States and their organs, which include their independent supervisory authorities, admittedly cannot adopt measures contrary to that decision, such as acts intended to determine with binding effect that the third country covered by it does not ensure an adequate level of protection. Measures of the EU institutions are in principle presumed to be lawful and accordingly produce legal effects until such time as they are withdrawn, annulled in an action for annulment or declared invalid following a reference for a preliminary ruling or a plea of illegality (judgment in Commission v Greece, C‑475/01, EU:C:2004:585, paragraph 18 and the case-law cited).
However, a Commission decision adopted pursuant to Article 25(6) of Directive 95/46, such as Decision 2000/520, cannot prevent persons whose personal data has been or could be transferred to a third country from lodging with the national supervisory authorities a claim, within the meaning of Article 28(4) of that directive, concerning the protection of their rights and freedoms in regard to the processing of that data. Likewise, as the Advocate General has observed in particular in points 61, 93 and 116 of his Opinion, a decision of that nature cannot eliminate or reduce the powers expressly accorded to the national supervisory authorities by Article 8(3) of the Charter and Article 28 of the directive…
In this connection, the Court’s settled case-law should be recalled according to which the European Union is a union based on the rule of law in which all acts of its institutions are subject to review of their compatibility with, in particular, the Treaties, general principles of law and fundamental rights (see, to this effect, judgments in Commission and Others v Kadi, C‑584/10 P, C‑593/10 P and C‑595/10 P, EU:C:2013:518, paragraph 66; Inuit Tapiriit Kanatami and Others v Parliament and Council, C‑583/11 P, EU:C:2013:625, paragraph 91; and Telefónica vCommission, C‑274/12 P, EU:C:2013:852, paragraph 56). Commission decisions adopted pursuant to Article 25(6) of Directive 95/46 cannot therefore escape such review.
That said, the Court alone has jurisdiction to declare that a EU act, such as a Commission decision adopted pursuant to Article 25(6) of Directive 95/46, is invalid, the exclusivity of that jurisdiction having the purpose of guaranteeing legal certainty by ensuring that EU law is applied uniformly (see judgments in Melki and Abdeli, C‑188/10 and C‑189/10, EU:C:2010:363, paragraph 54, and CIVAD, C‑533/10, EU:C:2012:347, paragraph 40).
Whilst the national courts are admittedly entitled to consider the validity of a EU act, such as a Commission decision adopted pursuant to Article 25(6) of Directive 95/46, they are not, however, endowed with the power to declare such an act invalid themselves (see, to this effect, judgments in Foto-Frost, 314/85, EU:C:1987:452, paragraphs 15 to 20, and IATA and ELFAA, C‑344/04, EU:C:2006:10, paragraph 27). A fortiori, when the national supervisory authorities examine a claim, within the meaning of Article 28(4) of that directive, concerning the compatibility of a Commission decision adopted pursuant to Article 25(6) of the directive with the protection of the privacy and of the fundamental rights and freedoms of individuals, they are not entitled to declare that decision invalid themselves.
 According to the CJEU:
“On the contrary, Article 28 of Directive 95/46 applies, by its very nature, to any processing of personal data. Thus, even if the Commission has adopted a decision pursuant to Article 25(6) of that directive, the national supervisory authorities, when hearing a claim lodged by a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him, must be able to examine, with complete independence, whether the transfer of that data complies with the requirements laid down by the directive….
Having regard to those considerations, where a person whose personal data has been or could be transferred to a third country which has been the subject of a Commission decision pursuant to Article 25(6) of Directive 95/46 lodges with a national supervisory authority a claim concerning the protection of his rights and freedoms in regard to the processing of that data and contests, in bringing the claim, as in the main proceedings, the compatibility of that decision with the protection of the privacy and of the fundamental rights and freedoms of individuals, it is incumbent upon the national supervisory authority to examine the claim with all due diligence….
where the national supervisory authority considers that the objections advanced by the person who has lodged with it a claim concerning the protection of his rights and freedoms in regard to the processing of his personal data are well founded, that authority must, in accordance with the third indent of the first subparagraph of Article 28(3) of Directive 95/46, read in the light in particular of Article 8(3) of the Charter, be able to engage in legal proceedings. It is incumbent upon the national legislature to provide for legal remedies enabling the national supervisory authority concerned to put forward the objections which it considers well founded before the national courts in order for them, if they share its doubts as to the validity of the Commission decision, to make a reference for a preliminary ruling for the purpose of examination of the decision’s validity.
Having regard to the foregoing considerations, the answer to the questions referred is that Article 25(6) of Directive 95/46, read in the light of Articles 7, 8 and 47 of the Charter, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Decision 2000/520, by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.”
 The CJEU quoted from the Communication as follows:
On the same date, 27 November 2013, the Commission adopted the communication to the European Parliament and the Council on the Functioning of the Safe Harbour from the Perspective of EU Citizens and Companies Established in the [European Union] (COM(2013) 847 final) (‘Communication COM(2013) 847 final’). As is clear from point 1 thereof, that communication was based inter alia on information received in the ad hoc EU-US Working Group and followed two Commission assessment reports published in 2002 and 2004 respectively…
In addition, the Commission stated in point 7 of Communication COM(2013) 847 final that ‘all companies involved in the PRISM programme [a large-scale intelligence collection programme], and which grant access to US authorities to data stored and processed in the [United States], appear to be Safe Harbour certified’ and that ‘[t]his has made the Safe Harbour scheme one of the conduits through which access is given to US intelligence authorities to collecting personal data initially processed in the [European Union]’. In that regard, the Commission noted in point 7.1 of that communication that ‘a number of legal bases under US law allow large-scale collection and processing of personal data that is stored or otherwise processed [by] companies based in the [United States]’ and that ‘[t]he large-scale nature of these programmes may result in data transferred under Safe Harbour being accessed and further processed by US authorities beyond what is strictly necessary and proportionate to the protection of national security as foreseen under the exception provided in [Decision 2000/520]’.
In point 7.2 of Communication COM(2013) 847 final, headed ‘Limitations and redress possibilities’, the Commission noted that ‘safeguards that are provided under US law are mostly available to US citizens or legal residents’ and that, ‘[m]oreover, there are no opportunities for either EU or US data subjects to obtain access, rectification or erasure of data, or administrative or judicial redress with regard to collection and further processing of their personal data taking place under the US surveillance programmes’.
According to point 8 of Communication COM(2013) 847 final, the certified companies included ‘[w]eb companies such as Google, Facebook, Microsoft, Apple, Yahoo’, which had ‘hundreds of millions of clients in Europe’ and transferred personal data to the United States for processing.
The Commission concluded in point 8 that ‘the large-scale access by intelligence agencies to data transferred to the [United States] by Safe Harbour certified companies raises additional serious questions regarding the continuity of data protection rights of Europeans when their data is transferred to the [United States]’.
 Art.26 sets out specific derogations from Art. 25. It states:
- By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2) may take place on condition that:
(a) the data subject has given his consent unambiguously to the proposed transfer; or
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject’s request; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
(d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
(e) the transfer is necessary in order to protect the vital interests of the data subject; or
(f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
- Without prejudice to paragraph 1, a Member State may authorise a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.
“The ECJ held separately that the Framework as it exists is invalid. Unlike the Advocate General’s opinion though, which listed a number of deficiencies all closely linked to the recent NSA disclosures, the ECJ made its determination on two fairly narrow grounds. First, “legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications” is facially a violation of the right to privacy under the Charter of Fundamental Rights of the European Union (¶94). Second, the failure to provide citizens a judicially-enforced rights of access, and to delete, personal data “does not respect the essence of the fundamental right to effective judicial protection” under the Charter (¶95). The Court did not hold as a matter of law that the U.S. lacked either of those protections (though it noted that the Commission seemed to believe the U.S. had excessive access to data, and that there was insufficient judicial redress). The main issue was that “the Commission did not state in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments” (¶98).
The second flaw with Decision 2000/520, according to the ECJ, is that the EU Commission exceeded its authority in restricting EU member states’ authority to investigate and enforce violations of EU data protection law (¶103). That is, while the individual countries cannot challenge the validity of a Commission decision, the Commission does not have authority to prevent countries from suspending data transfers to countries with inadequate protections under EU law. These two flaws “are inseparable” from Decision 2000/520 as a whole, so the Decision itself is invalid.”
 See, Timothy Edgar, Surveillance Reform Is Only Hope for Reviving Safe Harbor, LawFare, October 7, 2015, Timothy Edgar, Focusing PRISM: An Answer to European Privacy Concerns? LawFare October 10, 2015, James DeGraw et al, The U.S.-EU Safe Harbor Framework Is Invalid: Now What? October 9 , 2015, Russel Miller, Schrems v. Commissioner: A Biblical Parable of Judicial Power, Verfassungsblog Oct. 14, 2015, Peter Swire, Don’t Strike Down the Safe Harbor Based on Inaccurate Views About U.S. Intelligence Law, Privacy Perspectives, Oct. 5 , 2015
 Timothy Edgar, Focusing PRISM: An Answer to European Privacy Concerns? LawFare October 10, 2015
 The EU-US safe harbour had the following exception: “Adherence to these Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that create conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts. Consistent with the goal of enhancing privacy protection, organizations should strive to implement these Principles fully and transparently, including indicating in their privacy policies where exceptions to the Principles permitted by (b) above will apply on a regular basis. For the same reason, where the option is allowable under the Principles and/or U.S. law, organizations are expected to opt for the higher protection where possible.” The contractual clauses have different wording, See, Decision 2001/497/EC: Set I “They shall apply subject to the mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others.” Commission Decision C(2010)593 “Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.”
 For example, in Commission Decision C(2010)593, the data importer is agrees to comply with “Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.” (emphasis added) If this term is interpreted in accordance with EU law, then the data importer may not be able to demonstrate compliance given the judgment of the CJEU in the Schrems case.
 See PIPEDA s7(3). See, Colin Bennett, Could Europe end up targeting Canada over C-51 and digital privacy? iPolitics Oct. 13, 2015.