Schrems: Comments and Reaction

October 5, 2015

The Editor is happy to update this list and add reaction from any sensible source. Additions are entirely at his discretion. We hope to carry a series of articles assessing the impact of this decision in the course of the next week or so. I recall though that Zhou Enlai allegedly said in the 1970s, when assessing the impact of the French Revolution, ‘it may be too early to say’ and we may be some way off a full assessment of Schrems.

The full judgment is the base for all informed comment and can be found here. You can probably get away with reading para 73 and then para 93 onwards if you want to cheat. Or you can read the Court’s press release here.

Max Schrems should probably be allowed in this list even though his reaction is predictable. See his ‘initial response‘.

Facebook said in a statement:

“This case is not about Facebook [although it rather obviously is: Ed]. The Advocate General himself said that Facebook has done nothing wrong. What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows. Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbour. It is imperative that EU and US governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.”

Helen Dixon, the Irish data-protection commissioner, said that she “welcome[s] today’s judgment,” and that she is taking steps to bring the original case “back as soon as practicable before the Irish High Court”. and that “in declaring the old ‘safe harbour’ rules invalid … the significance of the judgment extends far beyond the case presently pending in Ireland. In that regard, my Office will immediately engage with our colleagues in other national supervisory authorities across Europe to determine how the judgment can be implemented in practice, quickly and effectively, particularly insofar as it impacts on EU/US data transfers.”

The ICO Deputy Commissioner David Smith said:

[The] ruling is clearly significant and it is important that regulators and legislators provide a considered and clear response. This ruling is about the legal basis for the transfer of personal data to businesses that are members of the US Safe Harbor. It does not mean that there is an increase in the threat to people’s personal data, but it does make clear the important obligation on organisations to protect people’s data when it leaves the UK.

“The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this. 

“It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure that they are complying with the law related to international transfers. We will now be considering the judgment in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them. Businesses should check the ICO website for details over the coming weeks. 

“Concerns about the Safe Harbor are not new. That is why negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement. We understand that these negotiations are well advanced.” 

The Article 29 Working Party state:

The Working party is aware that this decision, taken in the context of the negotiation on the European Regulation and the discussions on the Safe Harbour between the European Commission and the US authorities, has major consequences on all stakeholders. For these reasons, in order to provide a coordinated analysis of the Court’s decision and to determine the consequences on transfers, a first round of discussions between experts is organized this week in Brussels. Moreover, an extraordinary plenary meeting of the Working Party will be shortly scheduled.

Digital Europe commented:

DIGITALEUROPE is disappointed by the ruling of the Court of Justice of the EU (CJEU) today in the case of Maximillian Schrems vs Data Protection Commissioner. The immediate invalidation of transatlantic data flows will cause immediate harm to Europe’s data economy and will negatively impact countless consumers, employees and employers. We have grave concerns about the long-term implications this Judgement will have on the way Europe transfers data to the rest of the world.

“We urgently call on the European Commission and the United States Government to conclude their long-running negotiations to provide a new Safe Harbour agreement as soon as possible,” said Peter Olson, President of DIGITALEUROPE.

“We also call on the European Commission to immediately issue guidance to companies operating under the Safe Harbour framework to ensure that essential and routine commercial activities can occur during the current legal vacuum,” Mr Olson added.

DIGITALEUROPE member companies take their commitments to transferring data to the United States securely, responsibly and in compliance with European legal obligations very seriously. It is important for businesses operating in the Internal Market to have an instrument that provides legal certainty.

In addition to the immediate disruption to international data flows, today’s Judgement risks jeopardising the creation of a true Digital Single Market (DSM) in Europe.

“The DSM is a key strategic objective of the European Commission. Its success is a central component to kick-starting economic growth and job creation across the EU. We question how Europe will be able to effectively create a Digital Single Market if 28 Member States pursue different approaches to how the data can be transferred beyond Europe’s borders.” Mr Olson said.

The only way to deal with the issue of mass surveillance of citizens’ personal data by security agencies -that lies behind today’s case – is through direct government-to-government negotiations.

Technollama is terrific on context and forthright on consequences: http://www.technollama.co.uk/european-court-declares-data-protection-safe-harbor-invalid

Steven Lorber in the Lewis Silkin Data Protection Journal seems to offer some solid advice – worth a read.

Hogan Lovell’s Data Protection Journal offers a ‘plan of action’:

1.      Carry out a data transfers assessment to identify which data transfers from the EU to the US had been legitimized by Safe Harbor.

2.      Prioritise key transfers for the business by reference to the nature of the data and its use.

3.      For intra-group transfers, identify all of the entities involved and assess the most suitable alternative to Safe Harbor. In the short term, this is likely to involve an interim contractual solution whilst more permanent mechanisms – such as BCR- are considered.

4.      For transfers to service providers, review any existing contracts for references to Safe Harbor and determine whether the relevant vendor is offering a suitable contractual option or is able tp rely on a Processor BCR.

5.      US-based service providers should consider the most appropriate legal mechanism to enable customers to continue to use their services lawfully.

I liked this in the blog post from Stewart Room of PwC Legal:

‘The Convention on Human Rights, the Charter of Fundamental Rights and Freedoms and, of course, data protection law itself are much more “rigid” than the Safe Harbour Decision implied: privacy law has to be rigidly applied.  It cannot be bent out of shape for commercial and political purposes.

Rigidity means strictness.  This is the most significant impact of the CJEU judgment.  Every national supervisory authority in Europe now knows that they will have to apply intense scrutiny to challenges that come their way.  Complaints will have to be properly investigated on their facts.  If they are not, the citizen and the courts will become the regulators.  The natural extension of this new reality is tougher regulation.’

SCL was sent a comment from Ashley Winton, UK head of data protection and privacy at Paul Hastings, which included this view:

‘Many European data protection regulators, particularly those in Germany, have long believed that the conditions of the safe harbour scheme are not substantial enough and the effect of today’s ruling will empower them to investigate and check the acceptability of any data transfer themselves.

In addition, although the case today primarily concerns safe harbor the ruling will also apply to other European Commission approved methods of transferring personal data internationally.

Crucially, this case cannot be considered alone. Following the landmark case of Weltimmo last week, multinational companies that have elected to create an establishment in a more business-friendly jurisdiction are now likely to have their data protection practices scrutinised by local regulators all across the EU.

There are currently no rules limiting individuals bringing complaints regarding data protection across multiple jurisdictions simultaneously, so we may now see these complaints springing up from every direction, where data is being shared around the world.’