Safe Harbor before the EU Court of Justice

On 24 March 2015, the Court of Justice of the European Union (“CJEU”) held an oral hearing in the case Schrems v. Data Protection Commissioner (Case C-362/14), which deals with the legality of data transfers to the US under the EU-US Safe Harbor system. While the case has attracted considerable public attention, there has been little discussion of whether it would actually improve data protection in practice, and of its implications for the “adequacy” standard for international data transfers under the EU Data Protection Directive 95/46.

The case arose from proceedings before the Irish courts brought by Max Schrems, an Austrian PhD student and privacy activist, in which he challenged the legality of a decision by the Irish Data Protection Commissioner (“DPC”), the respondent, not to investigate his claims relating to data transfers to the US by Facebook. Facebook’s US data transfers are based on its membership in the Safe Harbor, a self-regulatory scheme that is enforced by the US Federal Trade Commission. The European Commission found in a formal decision issued in 2000 that the Safe Harbor provides “adequate protection” under Article 25 of the Directive, but Schrems contests this conclusion because of widespread data access by US intelligence services.

The case eventually wound up in the High Court of Ireland which, in a judgment of 18 June 2014, referred two questions to the CJEU. In brief, the questions ask whether the national data protection authorities (“DPAs”) are absolutely bound by a Commission adequacy decision with regard to data transfers to third countries, or whether they may conduct their own investigations into the adequacy of data protection in light of Articles 7, 8, and 47 of the EU Charter of Fundamental Rights. Further information concerning the case is available on the web site of Schrems’ NGO “Europe versus Facebook“. The opinion of Advocate General Yves Bot is expected on 24 June.

I have been in Brussels since the Safe Harbor was enacted in 2000, and there is no doubt that the kind of mass data access by law enforcement that has come to light in the last few years was never envisioned then. Some important provisions of the Safe Harbor are unclear and need to be strengthened, as Schrems points out in his written observations to the CJEU. Schrems is performing a useful service by shining a light on these deficiencies, and I sympathize with many of his arguments concerning fundamental rights. However, it seems to me that the remedy he seeks (to invalidate the Safe Harbor, either directly or by a “death of a thousand cuts” by allowing the DPAs to subject it to varying interpretations) is based on formalistic arguments that fail to consider the level of protection that data transfers receive in practice.

For example, Schrems implies that use of the EU-approved standard contractual clauses for data transfers result in a higher level of protection than does the Safe Harbor, since transfers under the clauses are “under supervision by DPAs” (see para. 59 of his written observations). However, in most Member States the standard clauses need not be filed with the DPAs, and in most that do require filing the DPAs never scrutinize them. Under the General Data Protection Regulation proposed in 2012 by the European Commission that is currently being debated by the Council, the use of the standard clauses would not require DPA authorisation (see Article 42(3) of the Commission proposal). The DPAs’ statutory enforcement powers also do not extend to parties in third countries. Thus, the argument that the standard clauses provide “added value” because of DPA involvement is essentially a legal fiction.

Moreover, neither the standard clauses nor any of the other legal bases for transferring personal data under the Data Protection Directive 95/46 provide any more protection against data access by foreign law enforcement than does the Safe Harbor. Data transfers based on consent cannot protect against law enforcement access, and the standard contractual clauses merely provide for notification of such access to the data exporter (e.g., Clauses 5(b) and 5(d) of the 2010 controller to processor clauses, Commission Decision C2010(593)). Binding corporate rules (“BCRs”) similarly only provide that the EU headquarters of the data exporter be notified of law enforcement access unless local law mandates that access be kept confidential (see Article 29 Working Party WP 154, page 8), as US law generally does.

Expecting EU data protection law to prevent data access by foreign intelligence services unrealistically attempts to tackle by legal means a problem that can only be resolved by political agreement between the EU and third countries. None of the legal mechanisms for regulating international data transfers under the Directive were ever intended to provide protection against access by foreign intelligence services, as is shown by the fact that data processing for national security purposes is exempted from both the Directive and the proposed Regulation (indeed, under Article 4 TEU, national security falls outside the scope of Union law). If the CJEU invalidates the Safe Harbor, it will not impede the ability of foreign law enforcement to access data, but it will create legal uncertainty about the status of other data transfer mechanisms and ultimately of the entire regime for regulating data transfers under the Directive.

The case also raises questions about regulating data transfers based on data protection in third countries being deemed “adequate” under EU standards. In its Opinion 2/13 of 18 December 2014 finding that the agreement for accession of the EU to the European Convention on Human Rights violates EU law, the CJEU described EU law as “a new kind of legal order, the nature of which is peculiar to the EU, its own constitutional framework and founding principles, a particularly sophisticated institutional structure and a full set of legal rules to ensure its operation” (para. 158). The protection of fundamental rights is one of the foundations of the EU legal order (Kadi I, Cases C-402/05P and C-415/05P, para. 304), and the fundamental right to data protection is based on principles such as the fair processing of data for specified purposes (possibly overseen by a dpo service provider) and control by an independent authority that are enshrined in foundational instruments such as the Charter of Fundamental Rights (see Article 8). But if the underlying legal order that is necessary to realize EU data protection rights is special and unique to the EU, then it seems unlikely that most third countries could ever implement such rights in the same way as under EU law, a conclusion reinforced by the fact that since the Directive entered into force in 1998, the European Commission has issued only twelve official “adequacy” decisions.

In a world marked by a diversity of constitutional approaches and legal pluralism, it is illusory to expect that a legal order can provide complete global protection for its individuals by convincing other countries to adopt its own standards; what is needed are creative solutions that take the different characteristics of other legal systems into account, and, ultimately, an international solution such as a treaty. The Safe Harbor is an adaptation of EU data protection law for the US legal environment, and for all its deficiencies, has resulted in a growing acceptance in the US of EU standards. It thus represents a valuable “foothold” for EU data protection law in the US, and invalidating it would result in the EU unilaterally ceding its influence over US developments without receiving anything in return. Allowing the DPAs to apply their own interpretations of Commission adequacy decisions is also not the right solution, since it would only lead to further national fragmentation of data protection law, and open the door to forum shopping by companies seeking to obtain the most favourable interpretation of data protection standards.

Transferring data internationally implicates other fundamental rights besides data protection, such as the right to communicate “regardless of frontiers” that is protected by the Charter of Fundamental Rights (Article 11) and the European Convention on Human Rights (Article 10). As the CJEU has held several times in its data protection judgments, fundamental rights must be balanced based on the principle of proportionality (e.g., Lindqvist, Case C-101/11, paras. 87-89), and the Court should consider the implications of the Schrems case for other fundamental rights as well.

There is no perfect solution to the questions raised by the Schrems case. Probably the best choice among an unsatisfactory group of options would be for the Court to affirm the strategy currently being pursued by the European Commission, namely to indicate that the general approach the Safe Harbor takes is valid, while requiring that certain improvements to it be negotiated with the US government. As for restricting access to data by law enforcement authorities, the Member States could send an important signal to third countries by indicating that they are willing to subject their own intelligence services to EU rules. And there needs to be a serious debate about how “adequate protection” that is actually effective in practice (including with regard to the activities of the intelligence services) can be provided for data flows involving EU individuals.