The Court of Justice of the European Union handed down its judgment yesterday in Maximillian Schrems v Data Protection Commissioner (Case C-362/14) (curia.europa.eu judgment text). The Safe Harbour decision adopted by the European Commission in 2000 (Decision 2000/520/EC) is invalid. The legal mechanism that has underpinned approximately four thousand five hundred US companies' lawful transfer of European personal data to the United States since the year 2000 is gone, with no transition period.
The judgment's reasoning is, on a first reading, narrower in technical legal terms than the policy consequences are wide. The Court found that the Commission's decision exceeded its authority by purporting to limit the powers of national data-protection authorities to investigate and act on complaints about the adequacy of protection in a third country. The Commission did not have the power to make that limitation, the limitation is invalid, and as a structural consequence the Decision 2000/520 cannot stand. Beyond that procedural finding, the Court also addressed the substantive adequacy question — whether the level of protection in the United States is, in fact, "essentially equivalent" to that guaranteed in the EU under Directive 95/46/EC — and answered, in the light of the Snowden disclosures and US legal frameworks for bulk surveillance, that it is not.
This is a substantial finding. The substantive part of the judgment, in particular paragraphs 90 to 95, will be cited for the next decade. The Court's reasoning that mass surveillance, conducted on a generalised and indiscriminate basis without effective judicial oversight, is incompatible with the essence of the right to private life under Article 7 of the Charter is a piece of constitutional reasoning that goes well beyond Safe Harbour and will inform every adequacy assessment Europe makes about every third country going forward.
For the operational vCISO work, the consequences are immediate and unwelcome. Customer organisations in our portfolio that rely on Safe Harbour-certified US providers for personal data processing — which is to say, almost all of them, because Safe Harbour was the routine mechanism for cloud services, payroll, customer relationship management, and analytics — are without lawful basis for those transfers as of yesterday. The Article 29 Working Party will issue guidance shortly, and the national data-protection authorities will indicate enforcement intent. The likely path is that the Commission will negotiate a successor framework — there is already work in progress between the Commission and the US Department of Commerce on what is being informally called Safe Harbour 2.0 — but that will take months at minimum, and possibly longer.
In the interim, the alternatives are well-established but operationally heavy. Standard Contractual Clauses (SCCs) approved by the Commission can be used between data exporter and data importer; the SCCs predate Safe Harbour and remain valid, although the Schrems judgment's substantive findings about US surveillance arguably affect them too, and that question will be litigated. Binding Corporate Rules (BCRs) for intra-group transfers are valid but take a year or more to put in place and require national-DPA approval. Explicit, informed consent of the data subject is valid but operationally impractical at scale. Article 26 of the Directive provides various derogations — necessity for performance of a contract, important grounds of public interest — that can support specific transfers but are narrow and not a general substitute.
For the immediate inbox, I have spent today drafting four notes. To Browne Jacobson: their primary US data flows are through their US correspondent counsel relationships and through one US-based document-management vendor, and the action is to migrate the document-management contract to SCCs immediately and to confirm the SCC posture with their counsel-relationship counterparties. To Towry: the trading-platform refresh I mentioned in January now has a Safe Harbour question that needs answering by every shortlisted vendor before the next selection meeting. To Northcott: the operational data flows include several US-headquartered telephony and SMS providers, and the action is a vendor-by-vendor inventory and SCC migration. To the manufacturing client: the US subsidiary's data flows back to the European parent are uncomplicated by yesterday's judgment, but the European parent's use of a US-headquartered HR analytics vendor is squarely affected.
The structural commentary is briefer. The Schrems judgment is the second time in eighteen months that a European court has reshaped the rules of data flow on the basis of Snowden disclosures — the first being the Digital Rights Ireland judgment (Case C-293/12) of April 2014 invalidating the Data Retention Directive. The pattern is that the disclosures of 2013 are still working their way through the legal system, and the operational consequences will continue to land on infrastructure teams for years. The General Data Protection Regulation, when it is finalised — the trilogue is now expected to conclude before the end of the year — will set the next layer of rules, and the adequacy assessments under GDPR will be informed by the standards Schrems has now articulated.
I will be drafting more on this through October as the Article 29 Working Party guidance lands and the national DPAs respond. The short version, for the customer briefings, is that Safe Harbour is gone, SCCs are the immediate fallback, and the vendor inventory needs to be done in the next thirty days, not the next ninety.