Decision 2000/520 of the European Commission (the Safe Harbor Decision), which stated that Safe Harbor certified US companies provide adequate protection for personal data transferred to them from the EU, was ruled invalid by the European Court of Justice (ECJ) on October 6th, 2015, in its Case C‑362/14 – Schrems v [Irish] Data Protection Commissioner judgment.
Safe Harbor certification does not ensure an adequate level of protection!
Following the Snowden revelations in 2013, that private data stored on servers in the United States, owned or controlled by a range of companies active in the internet and technology field, was made available on a large scale to the United States intelligence services, Austrian privacy activist Maximilian Schrems made a complaint to the Irish Data Protection Commissioner, claiming, in essence, that the law and practices of the United States offer no real protection of the data kept in the United States against state surveillance and asking the Commissioner to prohibit Facebook Ireland from transferring his personal data to the United States.
The Commissioner rejected the complaint and argued that the Safe Harbor Decision prevented him from examining whether an adequate level of protection was ensured or not. Mr. Schrems brought proceedings before the High Court for judicial review and the High Court decided to stay proceedings and to refer to the ECJ for a preliminary ruling the question whether the Commissioner is absolutely bound by the Community finding contained in the Safe Harbor Decision, that United States ensures an adequate level of protection under the safe harbor scheme, or the Commissioner may and/or must conduct his or her own investigation, in the light of factual developments in the meantime since the Safe Harbor Decision was first published.
On September 23rd, Advocate General Yves Bot delivered an opinion in the Schrems case, arguing that the existence of a decision adopted by the European Commission finding that a particular third country ensures an adequate level of protection, does not have the effect of preventing a national supervisory authority from investigating a complaint alleging that a same third country does not ensure an adequate level of protection of the personal data transferred and, where appropriate, from suspending the transfer of that data. In addition, Advocate General Bot proposed the ECJ to invalidate the Safe Harbor Decision. The ECJ, in its October 6th judgment found that the Commission in the Safe Harbor Decision failed to duly state reasons that the United States in fact ‘ensures’ an adequate level of protection. Furthermore, the ECJ found that the Commission exceeded the power which is conferred upon it by denying the national supervisory authorities the powers to examine, with complete independence, any claim concerning the protection of a person’s rights and freedoms in regard to the processing of personal data relating to him, i.e. the powers to examine whether a particular third country ensures an adequate level of protection of the transferred personal data.
Other mechanisms for international transfers of personal data available under EU data protection law
European Commission’s First Vice-President Frans Timmermans stated that both the protection of personal data transferred across the Atlantic and the continuation of transatlantic data flows, with adequate safeguards, are amongst Commission’s priorities. This is of extreme importance for more than 4,000 US companies that were relying on Safe Harbor. Commissioner Vera Jourová added that the EU data protection rules provide for several other mechanisms that provide safeguards for international transfers of personal data and that data flows can continue without the Safe Harbor.
Firstly, the Directive 95/46/EC (the Data Protection Directive) itself allows transfers to a third country which does not ensure an adequate level of protection on condition that the data subject has given his consent unambiguously to the proposed transfer, or if the transfer is:
- necessary for the performance of a contract, or
- necessary or legally required on important public interest grounds, or
- necessary in order to protect the vital interests of the data subject.
Other mechanisms for international transfers of personal data available under EU data protection law include model contractual clauses and binding corporate rules. Article 26 (2) of the Data Protection Directive provides that an EU member state may authorize personal data transfer to a third country which does not ensure an adequate level of protection, where the controller adduces adequate safeguards. Such safeguards may in particular result from appropriate contractual clauses. The European Commission has so far issued two sets of standard contractual clauses for transfers from data controllers to data controllers established outside the EU/EEA and one set for the transfer to processors established outside the EU/EEA. Binding Corporate Rules, on the other hand, are internal rules adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection and which are then approved by one lead EU data protection authority. The lead authority handles the EU co-operation procedure with the other relevant data protection authorities i.e. data protection authorities of those countries from where entities of the group transfer personal data to entities located in countries which do not ensure an adequate level of protection.
Finally, restructuring data storage architecture by migrating data servers to European countries to ensure that European data remains in Europe is always an option, but may add significant cost.
How concerned should you be for personal data transfers from Serbia?
Even though not a member-state of the EU, Serbia is a party to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and its Additional Protocol regarding supervisory authorities and transborder data flows. According to the Article 2 of the Additional Protocol, Serbia may allow a transfer to a third country that is not party to the Convention only if that country ensures an adequate level of protection. By way of derogation from that rule, Serbia may allow for the transfer of personal data if domestic law provides for it because of specific interests of the data subject, or legitimate prevailing interests, especially important public interests, or if safeguards, which can in particular result from contractual clauses, are provided by the controller responsible for the transfer and are found adequate by the competent authorities according to domestic law.
Serbian Law on Personal Data Protection provides that data may be transferred from Serbia to a country that is not a party to the Convention, if such country has a regulation or a data transfer agreement in force which provides a level of data protection equivalent to that envisaged by the Convention. Authorization for transfer needs to be obtained from the Data Protection Commissioner, who issues such authorization upon consideration whether the requirements are met and safeguards put in place for the transfer. Limited number of submitted requests and authorizations issued allowing transfer to US, serve as an indication that most of transatlantic data flows from Serbia are actually illegal.
Invalidation of the Safe Harbor Decision, even though the Serbian Data Protection Commissioner was never bound by it, shall have its consequences in Serbia, as well. The Commissioner himself issued a statement on October 7th, praising the Schrems Ruling and insisting on Serbia’s obligation to provide its citizens and residents a level of data protection envisaged by the Constitution, the Law on Personal Data Protection and the Convention that Serbia is a party to, same as each and every EU country. That obligation to be fulfilled will require strict supervision and strict supervision may lead to the suspension of unauthorized transfers, imposition of fines and even criminal prosecution of those responsible for unauthorized transfers.
We will monitor further developments and explore how data flows from Serbia will be affected by ECJ’s ruling. For information on data protection related matters in Serbia, please do not hesitate to contact Slobodan Kremenjak (slobodan.kremenjak@zslaw.rs), Vesna Živković (vesna.zivkovic@zslaw.rs), Miloš Stojković (milos.stojkovic@zslaw.rs), or any of your regular contacts at Živković|Samardžić.