2015/10/27: The Safe Harbour Judgment and its Consequences, Continued (2)

I first wrote about the recent Safe Harbour judgment of the EU Court of Justice here, with an update here. In the first blog entry I gave an overview of the judgment itself, while the second blog entry concentrated more on what affected companies will have to deal with now and in the near future. This includes having to review all transfers of personal data, especially if data is going to the United States, and finding alternate solutions in case these transfers are taking place under the now defunct Safe Harbour Agreement. I also expressed a personal preference to find solutions wherein personal data is only stored in EU or EFTA Member States. It is that last aspect that I want to deal with in detail here.

As described before, there are essentially three viable replacements for the Safe Harbour Agreement when transferring personal data to the United States:

  1. The use of Standard Contractual Clauses in a contract with the US-based data processor,
  2. The use of Binding Corporate Rules (only in case of multinational corporations for internal transfers), and
  3. Permission from the respective national privacy regulator(s).

The big question - one that no-one has provided a definitive answer to yet - is whether these legal means of transferring data to the USA are themselves still lawful after the Safe Harbour judgment, or whether they must be considered unlawful for the same reasons as the defunct Safe Harbour Agreement. The importance of this question cannot be underestimated: if Standard Clauses, Binding Corporate Rules, or transfers with specific permission are no longer lawful, then a very large number of European entities will face drastic changes in the way they handle personal data - from large multinational companies to one-man operations!

I am going to attempt to answer this question for those who rely, or are planning to rely, on Standard Contractual Clauses. Reason: for many operations involving the transfer of personal data to the USA, this will be the only viable alternative. This answer considers the following:

  • The EU Court of Justice has clarified (again) that EU law includes a fundamental right to respect for private life, and that this fundamental right also means that any limitations to, and derogations from, the right to privacy must be limited to what is strictly necessary. In summary: in the EU, the right privacy cannot be limited beyond what is strictly necessary - doing so violates fundamental (human) rights.
  • Legislation that allows indiscriminate access to personal data by e.g. law enforcement or intelligence agencies, goes beyond what is strictly necessary. Both the EU Court of Justice and the EU Commission have clearly stated that this explicitly applies to US law. In summary: the indiscriminate spying allowed by US law violates EU privacy laws.
  • The EU Court of Justice has clarified (again) that EU law includes a fundamental right to effective legal protection by independent Courts, and that this right extends to privacy legislation. Such legislation must provide effective legal protection for the right to have access to, demand corrections of, and demand the deletion of, personal data. In other words: anyone whose personal data is being processed, must be able to go to Court to demand access to that data, correction of that data, or its deletion.
  • US law does not provide such effective legal protection. This conclusion comes directly from the EU Commission itself, in its document COM(2013) 847 final (see in particular section 7.2).
  • So, US law violates EU fundamental rights on two points: insufficient protection of the right to respect of private life, and insufficient access to an independent Court. What is very important to understand, is that this applies regardless of whether a transfer of personal data is based on Safe Harbour, Standard Contractual Clauses or anything else.
  • Therefore, the use of Standard Contractual Clauses to transfer personal data to the USA can only be lawful if US law does not apply to such a transfer and to the data processed in the USA. Of course, that is not, and cannot be, the case. In its documents COM(2013) 846 final and COM(2013) 847 final the EU Commission confirms that there are several US laws that allow large-scale collection and processing of personal data by US agencies.

Conclusion: based on the Court's reasoning in the recent Safe Harbour judgment, transfers of personal data to the USA based on Standard Contractual Clauses must be considered to be unlawful, just like transfers based on the now-defunct Safe Harbour Agreement!

I am not quite the only one coming to this conclusion. The Data Protection Authority of the German state of Schleswig-Holstein has published a position paper that also comes to this conclusion (see section 4). My colleague Menno Weij of the Dutch law firm SOLV comes to pretty much the same conclusion in this weblog entry (text in Dutch).

Of course, the most important question is: what is the impact of this on day-to-day operations? Simple to answer, but very difficult and time-consuming to execute: anyone transferring personal data to the USA would be well-advised to move all such data to providers within the EU or EFTA, and ensure that those providers do not outsource to sub-contractors in the USA either. In other words: stop using US cloud providers for personal data, whether it is Microsoft, Yahoo, Google, or anybody else. And yes - that includes Microsoft Office 365: I recently checked the IP addresses of the Outlook 365 web and email servers - they are located in the USA!

More as things develop.

Update (28.10.2015): The US Senate has just passed the CISA bill, enabling private companies in the USA (including popular cloud providers such as Microsoft, Google, etc.), to voluntarily share personal data with US agencies with full immunity against criminal and private laws. In other words: if a US cloud provider decides to share personal data transferred from the EU with any US agency, there might not be anything that can be done against this - even if this is a complete breach of Standard Contractual Clauses. The CISA bill is not law yet (the Senate and House versions still need to be reconciled), but it is very likely to become law soon, and if it does, it is one more very strong argument against the lawfulness of Standard Contractual Clauses and Binding Corporate Rules. My conclusion above stands: anyone transferring personal data to the USA should immediately stop doing so and recover any data already sent.

This weblog is maintained by Dr. Martin Beckmann LLM. If you discover any inaccuracies, factual errors, other corrections, or questions, please contract him at m.beckmann@beckmann-consult.com or at the contact data listed on our contact page.

© 2013 - 2016 Adviesbureau Beckmann B.V., Eurode-Park 1 - 62, 6461 KB Kerkrade, The Netherlands
KvK / Dutch Chamber of Commerce: 53767373 | Statutaire Zetel / Registered Office: Heerlen
BTW nummer / VAT ID: NL 8510.09.323.B.01
Data Center picture © Gregory Maxwell, distributed under the GNU Free Documentation License v1.2
All other pictures © Dr. Martin Beckmann LLM

We use the WURFL software to provide optimal rendering of this website on mobile devices.
As per the Wurlf license conditions, this software can be downloaded here .