1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Safe Harbor Decision today!

Today, the Court of Justice of the European Union (CJEU) handed down its ruling in relation to the Schrems case. As you will have heard, the Court decided that local DPAs should be entitled to investigate matters (regardless of there being a Commission Decision applicable) and, more importantly, that the Commission Decision on Safe Harbor is, in fact, invalid.

DPA rights to investigate

We had all assumed that if a data transfer was subject to Safe Harbor then that was it. You would not have expected a local DPA to investigate Safe Harbor as that was an official decision and it should be up to the Commission to investigate or upgrade it as required.  Then came Snowden. That put Safe Harbor under the microscopic of course.

As a result of Snowden revelations, the Commission has been negotiating with the US for an upgrade to the privacy principles and FAQs. The Court, however, decided that if you read the Data Protection Directive (the famous Article 25 in particular) together with the EU Charter of Fundamental Rights, this must mean that DPAs can investigate Safe Harbor data exports.

In one sense, this turns DPAs into quasi-judicial bodies. More generally, it reflects the two key changes influencing the Court’s thinking here: (i) the Snowden revelations; and (ii) the higher standards imposed by the Charter. Neither of these factors were, presumably, in the Commission’s “corporate mind” when the Safe Harbor Decision was published, way back in 2000. The Charter, in particular, is featuring more frequently in EU data protection case law.

Safe Harbor decision

The Court raised a number of criticisms of the Commission’s original Decision. The Court highlighted that:

  • no consideration had been given to domestic US law as to whether it provided adequate protection for data;
  • the carve out for access to data for national security, crime prevention and other purposes was too broad; and
  • there was no appropriate remedy for EU citizens.

In other words, there were architectural defects in the Safe Harbor regime.  These concerns were brought to light by the surveillance revelations of Edward Snowden.

Should we panic?

No!  However, it is time to think carefully about putting alternatives to Safe Harbor in place (e.g. model contracts or BCRs).  The ICO accepts that this will take time.

Interestingly, the Commission was at pains to point out in their press conference this afternoon that they value international trade and that data flows with the US should continue.  So this is not about “pulling up the digital drawbridge”.  In particular, they have indicated that there will be guidance published to ensure business has certainty and clarity going forward.  They were also keen to point out that the “Safe Harbor 2.0” currently being negotiated is well advanced but that they need a little more time to sort out the national security issue.  Let’s wait and see.  The sooner the better

We are publishing a fuller analysis of the decision tomorrow.  Please contact me if you would like a copy.

Safe Harbor Decision today!

Schrems v. Irish Data Protection Commissioner: some further thoughts

As the dust begins to settle after the headline-grabbing Advocate General opinion in the Schrems v. Irish Data Protection Commissioner it may be worth considering some of the other potential implications arising from that opinion.

Of course, the AG opinion is not the final word on this matter. That will rest with the judgement of the Court of Justice of the European Union (CJEU). And the CJEU is not bound to follow this opinion. So there may well be life left in Safe Harbor (or Safe Harbor 2.0) yet. But if the CJEU follows suit, what else could this mean? (more…)

Schrems v. Irish Data Protection Commissioner: some further thoughts

Subject Access Request risk: limits in sight?

A recent High Court case took a very robust stance on the issue of DSARs (Data Subject Access Requests) being used to fuel litigation.

An individual can make a DSAR to request access to any of his/her personal information. In Dawson-Damer v Taylor Wessing (2015), the Court refused to order compliance with a DSAR against the law firm. The real purpose of the request was to obtain access to documents and information to assist with the applicants’ ongoing litigation. “Context is everything”, said Counsel for Taylor Wessing. There was no suggestion that the applicants wanted to use the DSAR to check the accuracy of the personal data held about them. The Judge was of the opinion that the DSAR would not have been made had it not been for the legal proceedings. This, in light of previous case law (Durant v FSA), was clearly not a proper purpose, he said.

Of course, this doesn’t mean that the ICO takes this view (we know they don’t!). And individuals are still  free to complain to the ICO, as well as to the Court, for breaches of DSAR provisions. However, it will be interesting to see if in due course the ICO adjusts its approach. That being said, the Judge himself indicated that the Court of Appeal, where the case is going next, may take a different viewpoint. Watch this space!

Subject Access Request risk: limits in sight?