Case Watch: Making Sense of the Schrems Ruling on Data Transfer

This week’s Schrems judgment of the Court of Justice of the European Union on data transfer between the European Union and the United States has been widely publicized, reflecting the vital role that digital data plays in the global economy. The court’s ruling is subtle and careful—and it has already been misunderstood in some quarters. While it stopped short of ruling that current U.S. law is incompatible with EU rights, it sets the stage for such a decision in future litigation.

The safe harbor decision in question was adopted by the European Commission in 2000 under the EU Data Protection Directive. The decision stated that the United States ensures an adequate level of protection for personal data transferred there from the EU, and it operated as an EU-wide permission for companies which use the U.S. to store data collected in the EU.

In its judgment, the CJEU made two rulings. First, that the existence of the safe harbor decision did not prevent the national data protection authority from investigating a complaint that the U.S. does not ensure an adequate level of protection. Second, the court ruled that the safe harbor decision is invalid. These decisions have immediate effect. There is no appeal from the ruling, but Schrems’ case remains before the Irish court, to be decided in accordance with the ruling.

The court ruled the safe harbor decision was invalid on the basis of its interpretation of established EU rules that state that a foreign state’s system of data protection must be “adequate”. The court ruled that this standard is only met if the protection is “essentially equivalent” to the EU’s Data Protection Directive. Moreover, this protection must be guaranteed by the law of that state or its international agreements.

The court ruled that European Commission must include in any safe harbor decision reasons for considering that both these conditions are met. The court declared the safe harbor decision invalid, because it did not meet this requirement of reasons.

Contrary to many reports, the court did not decide whether U.S. law meets the “essentially equivalent” standard. The court’s advocate-general considered it did not, based on the findings made by the Irish court which sent the case to the CJEU. But the CJEU did not take this approach. It based its ruling entirely on the failure of the Commission to state that U.S. law meets that standard.

This was a wise course for the court. Because Mr Schrems had not raised the validity of the safe harbor decision before the Irish court, that court had not formally referred the issue to the CJEU. This meant that the detail of U.S. law was not in evidence and argued out before the CJEU. By striking down safe harbor only for lack of reasons, the court placed the blame for that on the Commission and avoided a final ruling on U.S. law. When the court has previously chosen to confront the legal systems of powerful global actors, it prefers to rule on the law before it rules on the facts.

In theory, the Commission could attempt to issue a new, re-formulated safe harbor decision. But to do so, it must be able to show that the U.S. guarantees EU-level data protection. The Schrems judgment has very strong indications about the high level of protection this would require—beyond current U.S. law and likely beyond what U.S. spy agencies are willing to accept. The court ruled that EU requirements are not met by a foreign state that authorized generalized data storage and access by public authorities other than on targeted grounds. Crucially, the CJEU ruled that the protections for personal data must be guaranteed by national law.

It is very unlikely that the Commission will be able to assert that U.S. law provides these guarantees. The U.S. government claims that its PRISM data program “is targeted against particular valid foreign intelligence targets, duly authorized by law, and strictly complies with a number of publicly disclosed controls and limitations.” Like the UK’s GCHQ, the U.S. asserts the right of its security agencies to hold all the data, and then to examine it according to administrative criteria. Disclosure of these criteria does not seem to meet the EU requirement that they are also prescribed by law. There seems no chance of congress amending U.S. law to limit access to this data.

The second obstacle to a new safe harbor decision is the lack of U.S. judicial remedies. While the CJEU did not rule that the U.S. law lacks remedies, it did rule that EU law requires effective judicial remedies guaranteed by U.S. for anyone whose data is transferred outside the EU. This is not limited to EU citizens, or even to residents. The U.S. Judicial Redress Bill, which looks unlikely to be passed anyway, would only apply to EU citizens.

Even if the Commission could bring itself to make a new safe harbor decision for the U.S., that would vulnerable to a second invalidity challenge before the CJEU for lack of effectively protective U.S. laws.

National data protection authorities, meanwhile, do not need a Commission safe harbor decision to decide that the U.S. provides adequate protection, generally, to EU data subjects. Each state can do this itself under Article 25(1) of the Data Protection Directive, applying EU law standards.

The Irish data protection commissioner looks set to consider this in the Schrems case. The national authorities of other EU countries may do the same and their decisions are subject to review by national courts. These courts could determine the facts about U.S. surveillance and legal protections, rule on its adequacy and strike down national decisions allowing data transfer. If needed, they could refer questions of law to the CJEU, giving that court an effective opportunity to rule on Snowden’s information.

For the same reasons the Commission is very unlikely to make a new valid safe harbor decision, there is little chance of a sustainable national finding that the U.S. provides EU-level protection.

So where does this leave data transfers between the EU and the U.S.? The current model of transatlantic spying depends upon commercial organizations sending massive amounts of personal data across the Atlantic to be stored there. Commercial organisations and their lawyers have claimed they can continue this under the EU system of ‘binding corporate rules’. But these rules are only directed to the data controller: they do nothing to constrain U.S. public authorities.

That is why these internal procedures do not figure in the four ways for data transfer to continue under the Data Protection Directive. Three of these are very narrow and do not serve the purposes of the transatlantic spying networks: performance of a contract (e.g. credit card details), important public interest grounds, and vital interests of the data subject.

Only one legal basis has the potential for massive data transfer. Data controllers may use clauses in consumer contracts as ‘unambiguous consent’ waiving EU protection under Article 26(1)(a) of the Data Protection Directive. But these boilerplate clauses may not be informed consent and withstand challenge under EU privacy or unfair contract terms law.

The Schrems judgment is clearly not the last word on this issue. But it may have struck a fatal blow to mass transfer of data across the Atlantic, depriving U.S. spying agencies of a means to obtain mass data that includes intimate details of millions of personal lives.

The Open Society Foundations support the work of Digital Rights Ireland, one of the parties before the Court of Justice in this case.