Europe's highest court, the European Union Court of Justice (CJEU), released a decision on October 6, 2015, declaring invalid the EU Commission's Safe Harbor program, which allowed for legal data transfers between the EU and the United States. With this decision, the CJEU takes a restrictive stance towards privacy rights, emphasizing that the EU regime requires compliance with a high standard of privacy protection. The declaration of invalidity significantly impacts companies that transfer EU citizens' data to the United States. Although Canada was not a party to the Safe Harbor program and data transfers from the EU to Canada are generally permissible, the CJEU decision may have a ripple effect in Canada.
The Safe Harbor program and its principles
In 1995, the EU passed the Data Protection Directive (European Directive), which establishes a uniform set of privacy laws that apply across Europe and also establishes guidelines to protect data as it moves between countries and outside of the jurisdiction of the EU. Specifically, the European Directive required that any country wishing to receive EU citizens' data must offer privacy protection equivalent to the European Directive. According to the European Directive, the European Commission (EC) could suspend all personal data transfers to countries whose privacy regimes were deemed inadequate.
The United States did not have a national privacy regime that was considered sufficient to meet this EU requirement. However, in an effort to address concerns about data transfers between the EU and the United States, the U.S. Department of Commerce and the EC negotiated the Safe Harbor program, which allowed U.S. organizations to voluntarily implement a number of privacy principles agreed upon by the U.S. and EU, thus permitting lawful data transfers from the EU Member States to the U.S. while protecting personal data.
The Safe Harbor program required U.S. participating organizations subject to the jurisdiction of the U.S. Federal Trade Commission and receiving personal data about EU citizens to certify with the U.S. Department of Commerce that they adhered to the Safe Harbor protective policies. The stringent obligations of the Safe Harbor program included:
- the requirement to submit a self-certification each year attesting continuing compliance with the program;
- provide notice to users about the kind information being collected and the purpose for which it may be used;
- allow individuals to access the information to correct, amend or delete that information where it is inaccurate and choose whether their information may be disclosed to third parties;
- ensure that adequate security protections are in place to protect against loss, misuse and unauthorized access to the information; and
- only share that information with third parties that also uphold the Safe Harbor principles, or are themselves subject to EU law.
The Safe Harbor was recently invalidated by the CJEU
The case of Schrems v. Data Protection Commissioner prompted the CJEU to review the EC's Safe Harbor decision. The complainant, Maximillian Schrems, an Austrian citizen, brought a claim before the Irish Data Protection Commissioner in relation to Facebook's Irish subsidiary transferring his personal information to Facebook servers in the U.S. Following the 2013 revelations about the practices of the U.S. National Security Agency (NSA), Schrems claimed that the transfer of data to the U.S. Facebook servers was subject to surveillance by the NSA, and argued that the Safe Harbor program did not provide adequate protection against such surveillance. The Irish Commissioner refused to investigate Schrems' claim, citing Facebook's participation in the Safe Harbor program. Schrems challenged the Irish Commissioner's decision and the question was referred to the CJEU in June 2014.
The CJEU ruled that it alone had the jurisdiction to invalidate an act undertaken by the EU, while stressing that the national supervisory authorities still have independent powers to review the adequacy of protection of personal data under the Charter of Fundamental Rights of the European Union and the European Data Protection Directive. These national supervisory authorities have the power to examine findings on adequacy of privacy measures with respect to complaints brought before them, in spite of the existence of the Commission Decision that a third country ensures adequate protection.
The CJEU was critical of the EC's Safe Harbor decision, commenting that the EC was tasked with determining whether the U.S. domestic law and its international commitments offer a level of protection of fundamental rights equivalent to that guaranteed under EU law. Instead, according to the CJEU, the EC merely examined the Safe Harbor scheme, applicable only to self-certified individual organizations compliant in enacting the Safe Harbor principles, leaving out U.S. public authorities.
In addition, the CJEU noted that adherence to the program was limited by national security, public interest and law enforcement requirements prevailing over the Safe Harbor scheme, when these conflict. Allowing the public authorities to have access "on a generalised basis" to the content of electronic communications left data potentially vulnerable, "compromising the essence of the fundamental right to respect for private life." The far-reaching access powers of U.S. public authorities beyond the protective scope of Safe Harbor (i.e. mass surveillance by the NSA) were found by the CJEU to be incompatible with the principles under the EU Data Protection Directive or the EU Charter of Fundamental Human Rights. Furthermore, the Court found that under the Safe Harbor program, EU citizens have no recourse to challenge the use or interception of their data by the U.S. government, which "compromises the essence of the fundamental right to judicial protection."
In light of the CJEU's finding that the EC Decision on the Safe Harbor program was invalid, the Irish Commissioner must now re-examine whether the transfer of personal data from Facebook Ireland Ltd. to Facebook Inc. in accordance with Safe Harbor offers European users an adequate level of data protection. If Facebook Ireland Ltd. is found to have inadequate protective measures in place (through the use of Safe Harbor or otherwise), it may lead to the suspension of Facebook Ireland Ltd.'s transfers of personal data to its American counterpart.
In his letter to the Irish authorities, Shrems calls for the suspension of all data transfers from Facebook Ireland Ltd. to Facebook Inc., and an audit of Facebook Inc. and its sub-processors. Shrems has since lodged additional complaints before the Belgian Privacy Commissioner and the German Data Protection Authorities in an effort to stop Facebook's data transfers to the U.S.
In a statement following the October CJEU ruling, the EC announced it would consider a new Safe Harbor program with the U.S., to be completed by the end of January 2016. Failing such an agreement, the EU data protection authorities are to "take all necessary and appropriate actions" to ensure privacy of EU citizens' data is protected. The statement sets out some alternatives that U.S. companies may be permitted to use now that Safe Harbour has been invalidated, such as standard contractual clauses and binding corporate rules. However, Shrems insists that a new Safe Harbor system between the U.S. and EU is irrelevant to his complaints and calls on the EU data protection authorities to examine his complaints regardless of such developments in the meantime.
What does this mean for Canada?
Canada's enactment of its federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), was motivated in part by the EU Data Directive. In 2002, the EU Commission determined that PIPEDA provides an adequate level of protection for the purpose of data transfers from the EU to Canada. Therefore, the Shrems decision should have no immediate impact on data transfer from the EU to Canada in circumstances where the transfer is made to an organization that is subject to and compliant with PIPEDA.
However, it should be noted that in 2013, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs called for a review of Canada's privacy regime due to Canada being a member of the "Five Eyes Alliance". It remains to be seen whether Canada's PIPEDA will be challenged before the European Court or national supervisory authorities of any EU member state on the basis that it no longer provides adequate protection for EU citizens' data.
Given that the CJEU decision affects transfers of personal data from the EU to the U.S., it may have an impact on Canadian organizations that transfer, store or host EU citizens' data to or within the territory of the United States. Canadian organizations that engage in such practice will need to consider the use of alternative means that may offer an adequate level of protection to EU citizens' data, such as the standard contractual clauses and binding corporate rules referenced above.