Setting: compromise and deadlock

For nearly 15 years the 'Safe Harbour' program has enabled the transfer of data between European and US companies. In fact, it was a compromise which generated certain reservations from the beginning. The EU Directive on the protection of personal data, which came into force during the implementation of this program and is still in place, forbids the transfer of data outside the EU unless the other side guarantees equal or higher protection standards. 'Safe Harbour' guaranteed no such protection.

It was criticized primarily for its lack of effective mechanisms for enforcing compliance with the rules of the program; its limited options for individual complaint submissions and its dispute resolution mechanisms were – from a European point of view – non-transparent. 'Safe Harbour' was criticized by the European personal data protection authorities. The European Commission has repeatedly tested the program and subtly advocated its revision. The information revealed by Edward Snowden of the large-scale surveillance conducted by US government agencies added fuel to the fire. Emerging from the impasse required bold political decisions. The Commission transferred responsibility to the national data protection authorities, who were bound by the decision of the Commission.

A ground-breaking challenge

In early October, the EU Court of Justice cut the Gordian knot. This was both a bold move and a painful and unfavourable business decision in the short-term. It was stated that the national data protection authorities are not bound by the decision of the European Commission. They are therefore responsible for checking whether the regulations under which European data is transferred outside the EU meet the determined standards. In this respect the judgement strengthens the position of the data protection authorities (e.g. GIODO in Poland) and even encourages the authorities to check whether foreign companies which fall under their jurisdiction are acting in accordance with the law.

The CJEU went one step further and assessed that the data protection rules laid down in the 'Safe Harbour' program are not consistent with the standards set out in the Charter of Fundamental Rights and Directive 95/46/EC. The Court determined that the American legal system is lacking when it comes to the guarantee and authorization of data protection (e.g. the right to sue, the right to share and edit data), and that the law allows for mass surveillance, with public authorities having almost unlimited and uncontrolled access to Europeans' data.

Practical implications

The CJEU's decision can be approached from many angles and has serious consequences for various stakeholders.

In light of this judgment, the General Regulation on the Protection of Personal Data is all the more important; this should define coherent Europe-wide standards for the protection of data and legal requirements for the processing of data. It is worth noting, for example, that the definition of personal data in accordance with this act can be fulfilled by a cookie identifier – it may be that every company making overseas transfers of any information about a given cookie identifier or a group of these IDs is covered by this regulation and all its requirements.

In accordance with Polish law, the premise for legalizing such transfers may be, for example, a contract between the data controller and a given person, the individual consent of GIODO for a particular company (to obtain this consent, the company will have to demonstrate that they have provided adequate privacy protection standards), the introduction of binding corporate rules (approved by GIODO) or standard contractual clauses approved by the European Commission. Given that US companies are accustomed to self-regulatory programs, in the longer term they may adopt the use of data protection instruments, such as binding corporate rules or standard contractual clauses.

 Terra incognita

The CJEU judgement paves the way for inspections to be carried out by the European personal data protection authorities. These authorities may be of the opinion that no contractual obligations (standard contractual clauses or binding corporate rules) will protect Europeans against mass surveillance on the part of the United States. This surveillance may result in decisions prohibiting particular companies from transferring data to the US. In this sense, the legal risk of activities conducted by companies with headquarters overseas is elevated. This may result in the improvement of data protection standards, with companies ensuring the adequate and appropriate supervision of their processing, but it can also be expected that some European data protection authorities – despite having doubts – will make the decision to allow transfers. At that point, the practical implications of the CJEU judgement will only concern the procedure for determining the legal basis for data transfer. At present it is hard to predict which scenario will come to pass.

The CJEU decision also has a political significance. It could present a huge obstacle to the transmission of data, should the Americans not choose to enhance their protection standards. The influence of the judgement on negotiations under the TTIP agreement between the US and the EU could also be considerable. The agreement, which is intended to standardize regulatory norms, will also have to deal with the standardization of privacy rules on both continents.

We have set sail from the 'Safe Harbour' into uncharted waters. Now anything is possible.