The European Court of Justice (CJEU) handed down a decision declaring EU-US safe harbour for personal data invalid this morning. It has far-reaching implications for cloud services in particular and may presage increased opportunity for open source solutions from non-US suppliers. Looks like a real gift to companies like Kolab.
Here’s my first reaction on reading of the sources. Let me know what I have wrong & I’ll fix it. In the Opinion of the Advocate General (who has a broader but compatible view), he said:
¶183. I am therefore of the view that Decision 2000/520 must be declared invalid since the existence of a derogation which allows in such general and imprecise terms the principles of the safe harbour scheme to be disregarded prevents in itself that scheme from being considered to ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.
The court supported that view. That decision strikes down the “Safe Harbour” arrangement that allows companies to treat the USA as equivalent to a European state for the purposes of data protection and privacy.
How The Harbour Broke
Why did they reach that decision? The discussion by the Advocate General is more enlightening than the court, which simplified the matter. The core reason for the AG is that the USA has been found to perform indiscriminate mass surveillance against non-citizens. The key discussion is in paragraphs 198-202:
¶198. I note, in that regard, that the access which the United States intelligence authorities may have to the personal data transferred covers, in a generalised manner, all persons and all means of electronic communication and all the data transferred, including the content of the communications, without any differentiation, limitation or exception according to the objective of general interest pursued. (79)
¶199. Indeed, the access of the United States intelligence services to the data transferred covers, in a comprehensive manner, all persons using electronic communications services, without any requirement that the persons concerned represent a threat to national security. (80)
¶200. Such mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights guaranteed by Articles 7 and 8 of the Charter.
¶201. As the Parliament has correctly observed in its observations, since it is excluded for the EU legislature or the Member States to adopt legislation, contrary to the Charter, providing for mass and indiscriminate surveillance, it must follow, a fortiori, that third countries cannot under any circumstances be regarded as ensuring an adequate level of protection of personal data of citizens of the Union where their rules of law do in fact permit the mass and indiscriminate surveillance and interception of such data.
¶202. It should be emphasised, moreover, that the safe harbour scheme, as defined in Decision 2000/520, does not contain appropriate guarantees for preventing mass and generalised access to the transferred data.
Further, the AG found (and the Court agreed) that, while there are mechanisms to ensure that the declaration of safe harbour itself is valid (¶19), there is no authority ensuring that any necessary exceptions to privacy once the data is shared in the USA are appropriate and proportionate:
¶208. It should therefore be found that within the safe harbour scheme provided for by Decision 2000/520 there is no independent authority capable of verifying that the implementation of the derogations from the safe harbour principles is limited to what is strictly necessary. Yet we have seen that such control by an independent authority is, from the point of view of EU law, an essential component of the protection of individuals with regard to the processing of personal data.
He also found that there is no way for European citizens to intervene in the abuse of their personal data by the US authorities as there is for them in Europe.
¶212. Furthermore, the Commission has itself pointed out that there are no opportunities for citizens of the Union to obtain access to or rectification or erasure of data, or administrative or judicial redress with regard to collection and further processing of their personal data taking place under the United States surveillance programmes.
¶213. It should be observed, last, that the United States rules on the protection of privacy may be applied differently to United States citizens and to foreign citizens.
They found that the European Commission should itself have reviewed and suspended the safe harbour, particularly in the light of the (largely undisputed) revelations by Edward Snowden of indiscriminate mass surveillance of foreign nationals by the NSA. The court also found that the lack of any competent authority to supervise the safe harbour arrangements and hear binding appeals made 2000/520 invalid anyway.
Questions directly arising
- Can any EU company now legally engage a US supplier for cloud or web application services, given relationships with US authorities are beyond contractual remedy?
- If they do, is consent from every data subject necessary?
- Given US courts claim jurisdiction over any subsidiary of a US corporation regardless of location even without routine data transfer to the USA, can any EU business use the services of a US company even when the work is conducted entirely in Europe?
- If they do, is consent from every data subject necessary?
- If the EC made a fresh determination to replace 2000/520, would that heal everything given the existence of NSA surveillance is unlikely to disappear?
- Can any remedy be made until the US gives EU citizens standing to challenge use of their personal data in the USA in its courts?
- If it does, will the EC need to regularly re-evaluate its determinations?
The Storm That Broke The Harbour
The journey to that decision is itself important. The original question asked by the High Court of Ireland concerned whether the Data Protection Commission for Ireland was entitled to make any rulings at all about the efficacy of safe harbour given the European Commission had already made a Union-wide declaration, “in the light of factual developments in the meantime since that Commission Decision was first published.”
This took place during the final appeal phase of a claim in Ireland by Maximillian Schrems of Austria that the sharing of his personal data by Facebook Ireland with its parent company Facebook Inc was in breach of European data protection despite Facebook’s compliance with the safe harbour arrangements. The Irish Data Protection Commissioner had dismissed the claim, but Schrems won judicial review of the decision on the basis that the revelations of Edward Snowden revealed the safe harbour was not in fact adequate for data protection.
The Irish High Court itself found important facts. First, it established that Snowden’s revelations should be considered factual:
¶36. According to the High Court, it is clear from the extensive exhibits accompanying the affidavits filed in the main proceedings that the accuracy of much of Edward Snowden’s revelations is not in dispute. The High Court therefore concluded that, once personal data is transferred to the United States, the NSA and other United States security agencies such as the Federal Bureau of Investigation (FBI) are able to access it in the course of a mass and indiscriminate surveillance and interception of such data.
Were the only issue the law of Ireland, there would have been no need for clarification:
¶37. The High Court notes that in Irish law the importance of the constitutional rights to privacy and to inviolability of the dwelling requires that any interference with those rights be in accordance with the law and proportionate. The mass and undifferentiated accessing of personal data does not satisfy the requirement of proportionality and must therefore be considered contrary to the Constitution of Ireland.
But the Irish Commissioner had asserted that, since the European Commission had already asserted the existence of a safe harbour, he could not intervene on behalf of Schrems.
¶50. The Commissioner considered that the very existence of a Commission decision recognising that the United States ensures an adequate level of protection under the safe harbour scheme prevented him from investigating the complaint.
As a result, the CJEU had first to decide whether a national data protection authority was pre-empted by the European Commission. If it was not, it then had to decide whether, in the vase of the US safe harbour, a national authority should in fact override the EC safe harbour. as explained above, the latter decision was indeed taken;
… a decision … such as Commission Decision 2000/520/EC … on the adequacy of the protection provided by the safe harbour privacy principles … does not prevent a supervisory authority of a Member State … from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him
That has to also raise questions within Europe. Given GCHQ also allegedly engages in mass surveillance, are transfers between, say, Germany and the UK, also safe transfers? Having established that national authorities retain sovereignty, surely some could now start questioning transfers across the Union as well as those outside it?