“Don’t panic” about EU-U.S. personal data transfers. That's the advice of UK Information Commissioner Christopher Graham. It's excellent advice for anyone considering the recent judgment of the Court of Justice of the European Union (CJEU) in Schrems, in which the CJEU found invalid the EU Commission decision that recognized the adequacy of the Safe Harbor regime under which personal data of Europeans was freely transferred to the U.S. Both Graham and the EU Commission have pointed out the alternative legal bases for transatlantic data transfers that exist, such as contracts, Binding Corporate Rules or consent. Many controllers may be able to avail of these bases and continue their transatlantic data transfers.
But other reasons not to panic—yet—also exist. Not least that transatlantic personal data transfers have not actually been banned. This is not to undermine the significance of the court’s judgment in Schrems; in particular, the importance that the court clearly attaches to privacy and data protection rights illustrated by the determination of that court to invalidate the EU Commission’s Safe Harbor Decision, even as it had not been directly asked to consider the possibility of such invalidity. This importance is also evidenced by the court’s clear statement that it “alone has jurisdiction to declare that an EU act, such as a commission decision adopted pursuant to Article 25(6) of Directive 95/46, is invalid” (paragraph 61 of Schrems).
Some may argue that the logic of Schrems may result in other EU Commission adequacy decisions, such as those about contracts, being found invalid. But the CJEU has made clear that any challenge to any other such decisions will have to be considered by the CJEU. Such consideration will take time.
A difficulty for all judgments of the CJEU is that they are not immediately enforceable at a national level—a reality of which the CJEU is only too well aware. The response of EU member states to last year’s judgment of the court in Digital Rights Ireland is a good illustration of this.
The CJEU was asked questions about the EU’s Data Retention Directive, which required that EU member states mandate the retention of phone and email metadata. The CJEU ruled that such data retention was a “particularly serious” and unjustified interference in the data protection and privacy rights of individuals. It went onto hold that directive to be invalid. The response of the EU Commission has been that it will not be bringing forward a replacement Data Retention Directive. Instead, it has stated that “the decision of whether or not to introduce national data retention laws is a national decision.” These national decisions are interesting. Some member states, such as Austria, Slovakia and the Netherlands, have annulled or suspended their laws. But many, like Ireland, have simply left their data retention laws in place. France, however, has taken a different approach: In response to recent terrorist attacks, it is in the process of adopting entirely new laws, which will greatly enhance the powers of its state to monitor electronic communications.
Enforceability is a particularly acute problem in a case such as Schrems, as the CJEU was not considering the case a whole but rather providing answers to questions asked by the Irish High Court. Those answers must now go back to the Irish High Court, where Schrems may be listed for mention on October 20. What will happen then remains to be seen, but the outcome of that case may ultimately be that the Irish Office of the Data Protection Commissioner (DPC) will finally commence an investigation into the complaint that Schrems himself sent to the office in 2013. It has been reported that the DPC “is unlikely to complete any investigation until late 2016.” A shorter timeline would seem unrealistic, given the complexity of the investigation that the Irish DPC must now undertake. Of course, such a timeline will give the EU Commission and U.S. authorities time to agree a new Safe Harbor agreement. How such an agreement might address the concerns raised by the CJEU remains to be seen. It might be that domestic U.S. legislation would be required, such U.S. legislation may be enacted in implementation of the EU-U.S. Umbrella Agreement for the transatlantic data transfers between law enforcement agencies. Such a timeline may also allow the EU legislature to complete its long-discussed reform of its 20-year-old data protection laws. If both developments can be completed before the DPC’s investigation comes to a conclusion, then that investigation may be rendered moot. Though it is entirely possible that the outcome of the DPC’s investigation would be the imposition of a ban upon transatlantic data transfers, pursuant to section 11(7) of the Irish Data Protection Act.
So there are plenty of reasons not to panic and stay calm when thinking about Schrems; of course that does not mean that there is nothing to think about. Schrems, and the response to Schrems, may give rise to significant risks for anyone engaged in transatlantic personal data transfers. One such risk is that even though there may be no formal prohibition upon such transfers, these may subsequently be held to be in breach of subjects’ fundamental rights to data protection. Such a finding might mean a claim for damages may be made.
Another risk is that the EU does not have an endless supply of data protection experts. The renegotiation of the EU-U.S. Safe Harbor agreement is just one of a host of different reforms now on the EU agenda. Discussing so many reforms at the same time may over-stretch the experts that the EU has, which may cause these reforms to be either rushed or delayed. Yet another risk is that compliance with whatever new rules emerge in response to Schrems may impose significant costs, which Facebook has already estimated may run into “billions."
But perhaps the most significant risk is that of Internet Balkanisation. One of the worst outcomes of Schrems is that it will embolden those who dream of building a new Atlantic Wall to keep EU personal data in and U.S. technology out. Such a dream would swiftly turn into a nightmare, not least because of the ever-deepening chasm that now separates EU and U.S. data processing technologies and expertise. Even if the EU wanted to build such a wall, which it does not, it would have to use U.S. technology and hire U.S. firms to build what would then become a wall of futility. But the fear that such a wall may be built may itself become a significant risk.
If you want to comment on this post, you need to login.