The Long Shadow of Maximillian Schrems v. Data Protection Commissioner [2015] – What Next for EU Safe Harbour Compliance on Data Transfers to the United States?

November 9, 2015

ECJ

INTRODUCTION:

On October 6, 2015,[1] the Court of Justice of the European Union (ECJ) declared invalid a decision of the European Commission on July 26, 2000[2] that had, pursuant to the relevant EU data protection law,[3] granted and acknowledged safe harbour for certain United States entities when transferring the personal data of European Union citizens to, and processing and storing that data within the United States. The case had been referred to the ECJ for a preliminary ruling from the High Court of Ireland, with a subsequent non-binding Opinion from the ECJ Advocate General, Yves Bot,[4] that the ECJ eventually followed.

CASE HISTORY:

The case began when Maximilian Schrems, an Austrian Citizen (and law student at that time), spearheaded a group to file a complaint with the Irish Data Protection Commissioner (DPC)[5] against Facebook Ireland Ltd, which is the company’s European headquarters. When Billy Hawkes, the Irish DPC rejected the case,[6] Schrems and his group sought and were granted judicial review at the High Court of Ireland.[7] Citing pre-emption on the key issues by European law, Mr. Justice Hogan adjourned the case pending referral to the European Court of Justice (ECJ).[8] Those key issues were: (a) whether the Edward Snowden revelations of 2013[9] revealed such a wholesale (both actual and potential) lack of compliance with European law that the U.S. Safe Harbour provisions with regard to transferring the personal information of European Citizens were essentially invalid; and (b) whether EU member states were bound by controlling EU privacy laws regarding those safe harbours, or free to pursue their own investigations into allegations of privacy breach or other non-compliance as and when needed, and were then subsequently able to suspend data transfers if they violated EU laws and/or EU citizen rights. Advocate General Bot had opined in the affirmative on both of these points,[10] and the ECJ agreed.

IMPLICATIONS:

Being effective immediately and with no grace period (or period of suspended invalidity as would likely have been applicable in Canada,[11] were the matter heard under Canadian jurisdiction),[12] the ruling immediately put the businesses and business practices of thousands of entities in legal jeopardy for their reliance on an invalid law. Fortunately for all, the European Union’s 28 national data protection authorities, acting through their Article 29 Working Party, issued an October 16, 2015 statement[13] encouraging those entities impacted by the ruling to negotiate, establish, and implement their own interim measures to ensure compliance with the ruling, including, in a later Q&A compliance release of November 6, 2015, that they “consider putting in place any legal and technical solutions to mitigate any possible risks they face when transferring data”;[14] assuring European businesses and citizens that privacy and data protection remained key elements of European law, and that they would issue further guidance at a national level, but at a later date; and implying quite strongly, that coordinated enforcement actions might issue if an appropriate successor framework could not be negotiated with the United States by the end of January, 2016.[15] That specific “deadline” language, read:

“If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”[16]

Essentially, then, the Commissioners agreed to implement a suspended enforcement as they could not retroactively seek or secure any period of suspended invalidity from the ECJ, and nobody had asked for one to be considered on the possibility of such a decision resulting. It would have been interesting to read the ECJ views on Canadian and other such precedent …. Perhaps we’ll read that some other time!

For now, we watch as companies scramble to “not” comply with this newly invalid law;[17] we wait for both that national European guidance (whether or not uniform or coordinated);[18] and we follow – to the extent made public – negotiations between the United States and Europe up to January 31, 2016. There may already be light at the end of that negotiation tunnel, as two identical bills – H.R.1428[19] in the House of Representatives (now passed by the full House), and S.1600 in the United States Senate[20] may eventually grant the United States District Court for the District of Columbia (USDC, DC) exclusive jurisdiction to hear foreign citizens’ privacy breach complaints against federal (not state) government actors of the United States. But, only the President can sign any final version of either Bill, into law.

In addition, the matter – now transferred back to the Irish High Court for further deliberations, may still result in a finding that Facebook cannot provide adequate data privacy protections for European citizens. If again referred or appealed to the ECJ, and upheld, Facebook’s European operations might cease under subsequent enforcement actions in one or many European jurisdictions on such a ruling.

And so, one way or the other, we wait![21]

*****************************************************************

Author:

Ekundayo George is a lawyer and sociologist. He has also taken courses in organizational and micro-organizational behavior, and gained significant experiences in regulatory compliance, litigation, and business law and counseling. He is licensed to practice law in Ontario and Alberta, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America. See, for example: http://www.ogalaws.com. A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other services, and Environmental Law and Policy; working with equal ease and effectiveness in his transitions to and from the public and private sectors. He is a published author on the National Security aspects of Environmental Law, has represented clients in courts and before regulatory bodies in both Canada and the United States, and he enjoys complex systems analysis in legal, technological, and societal milieux.

Trained in Legal Project Management (and having organized and managed several complex projects before practicing law), Mr. George is also an experienced negotiator, facilitator, team leader, and strategic consultant – sourcing, managing, and delivering on complex engagements with multiple stakeholders and multidisciplinary teams. Team consulting competencies include program investigation, sub-contracted procurement of personnel and materials, and such diverse project deliverables as business process re-engineering, devising and delivering tailored training, and other targeted engagements through tapping a highly-credentialed resource pool of contract professionals with several hundred years of combined expertise, in: Healthcare; Education & Training; Law & Regulation; Policy & Plans; Statistics, Economics, & Evaluations including feasibility studies; Infrastructure; and Information Technology/Information Systems (IT/IS) – also sometimes termed Information Communications Technologies (ICT). See, for example: http://www.simprime-ca.com.

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering of any professional service, or attorney advertising where restricted or barred. The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein. Past results are no guarantee of future success, and specific legal advice should be sought for particular matters through counsel of your choosing, based on such factors as you deem appropriate.

[1] Schrems (Judgment) [2015] EUECJ C-362/14 (06 October 2015), [2015] EUECJ C-362/14, [2015] WLR(D) 403, EU:C:2015:650, ECLI:EU:C:2015:650. Online: http://www.bailii.org/eu/cases/EUECJ/2015/C36214.html

[2] Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7)

[3] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).

[4] Case C-362/14 Maximillian Schrems v. Data Protection Commissioner [2015] EUECJ C-362/14, Opinion of AG Bot (23 September 2015). Online: http://www.uni-muenster.de/Jura.itm/hoeren/itm/wp-content/uploads/C0362_2014-EN-Opinion.pdf

[5] RTE News. Data Protection Commissioner says no action will be taken against Apple and Facebook. Published on rte.ie, July 26, 2013. Online: http://www.rte.ie/news/2013/0726/464770-data-protection/

[6] Id.

[7] Schrems v. Data Protection Commissioner [2014] IEHC 310 (18 June 2014). Online:http://www.bailii.org/ie/cases/IEHC/2014/H310.html

[8] Ruadhán Mac Cormaic. High Court refers Facebook privacy case to Europe. Published on irishtimes.com, June 19, 2014. Online: http://www.irishtimes.com/business/technology/high-court-refers-facebook-privacy-case-to-europe-1.1836657

[9] Barton Gellman. Edward Snowden, after months of NSA revelations, says his mission’s accomplished. Published on washingtonpost.com, December 23, 2013. Online: >http://www.washingtonpost.com/world/national-security/edward-snowden-after-months-of-nsa-revelations-says-his-missions-accomplished/2013/12/23/49fc36de-6c1c-11e3-a523-fe73f0ff6b8d_story.html

[10] Supra note 4.

[11] Schachter v. Canada, [1992] 2 S.C.R. 679 at 715-16, 1992 CanLII 74 (SCC) per Lamer, CJ. Online: http://scc-csc.lexum.com/scc-csc/scc-csc/en/item/903/index.do

A court may strike down legislation or a legislative provision but suspend the effect of that declaration until Parliament or the provincial legislature has had an opportunity to fill the void. This approach is clearly appropriate where the striking down of a provision poses a potential danger to the public (…) or otherwise threatens the rule of law (…). It may also be appropriate in cases of underinclusiveness as opposed to overbreadth. For example, in this case some of the interveners argued that in cases where a denial of equal benefit of the law is alleged, the legislation in question is not usually problematic in and of itself. It is its underinclusiveness that is problematic so striking down the law immediately would deprive deserving persons of benefits without providing them to the applicant. At the same time, if there is no obligation on the government to provide the benefits in the first place, it may be inappropriate to go ahead and extend them. The logical remedy is to strike down but suspend the declaration of invalidity to allow the government to determine whether to cancel or extend the benefits. (Citations omitted).

[12] As I wrote in an earlier blog post, Canadians are very much aware of the challenges of international data governance and transnational privacy protection. See e.g. Ekundayo George. In who’se pocket is your data packet? – International Data Governance. Published on ogalaws.wordpress.com, February 6, 2013. Online:

https://ogalaws.wordpress.com/2013/02/06/in-whose-pocket-is-your-data-packet-international-data-governance/

[13] Article 29 Working Party (Art. 29 WP). Statement on the implementation of the judgement of the Court of Justice of the European Union of 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362-14). Brussels, October 16, 2015. Online: http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2015/20151016_wp29_statement_on_schrems_judgement.pdf

[14] European Commission – Fact Sheet. Q&A: Guidance on transatlantic data transfers following the Schrems ruling.

MEMO/15/6014. Brussels, November 6, 2015. Online: http://europa.eu/rapid/press-release_MEMO-15-6014_en.htm

[15] Supra, note 13.

[16] Id.

[17] See e.g. supra, note 14.

[18] Technology executives and politicians alike have even warned that if these concerns over, and an increasingly vocal resistance to, targeted and/or bulk collection of personal data through government surveillance continue to “trend”, we may very soon see a real splintering of the internet into several disparate and walled-off variants. See e.g. Stephen Lawson, IDG News Service. Jitters over US surveillance could break the Internet, tech leaders warn. Published on itworld.com, October 8, 2014. Online: http://www.itworld.com/article/2825590/security/jitters-over-us-surveillance-could-break-the-internet–tech-leaders-warn.html

[19] First introduced in the United States House of Representatives (the “House”) on March 18, 2015 by Representative F. James Sensenbrenner, a Wisconsin Republican, the HR.1428 Bill is officially known as The Judicial Redress Act of 2015, and has a stated purpose “[t]o extend Privacy Act remedies to citizens of certified states, and for other purposes”. Online: https://www.congress.gov/bill/114th-congress/house-bill/1428/all-info

[20] First introduced in the United States Senate (the “Senate”) on June 17, 2015 by Senator Christopher S. Murphy, a Connecticut Democrat, the S.1600 Bill has now been referred (as H.R.1428) to the Senate Judiciary Committee, but it is yet to be considered and voted upon by the full Senate. Online: https://www.congress.gov/bill/114th-congress/senate-bill/1600/all-info

[21] *Reserved (pending further news).

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: