Two weeks after the historic decision of the Court of Justice of the European Union (CJEU) in the Schrems case, striking down the European Commission (EC) decision 2000/520/EC (known as the "Safe Harbour" decision), many people are still left scratching their heads, wondering what it all means. Global businesses face particular difficulties, but so do smaller enterprises which rely on cloud services with globally distributed infrastructures.
One reason why it may be difficult to formulate a response to the decision is that, although the decision itself is relatively straightforward, its legal consequences are not quite so obvious and may vary among the EU member states.
According to Article 25 of EU Directive 95/46 (the Directive), member states of the EU must, subject to some exceptions, prohibit transfers of personal data to countries outside of the EU unless the destination country "ensures" an adequate level of protection of that data. Article 25 also provides that the EC may (through a procedure set out elsewhere in the Directive) issue a finding that a particular country does ensure an adequate level of protection, and the member states are bound to respect that decision.
After intergovernmental negotiations, the EC made such a finding about the United States in the Safe Harbour decision.
The Schrems decision
The CJEU was not asked to decide whether or not the US actually ensures (or provides) adequate protection of personal data, or whether or not transfers of personal data from the E.U. to the U.S. were lawful. It did decide two things:
The Safe Harbour decision itself was invalid (for at least two reasons, the main one being that the Safe Harbour decision failed to demonstrate that U.S. law "ensured" adequate protection); and A decision of the EC under Article 25(6) of the Directive does not prevent the competent Data Protection Authority (DPA) in a member state from exercising its supervisory jurisdiction. (However, since only the CJEU has the authority to overrule a decision of the EC, the DPA may not directly contradict such a decision. If a DPA reaches a conflicting conclusion, this must be referred to the CJEU for resolution.) The decision also articulates a number of principles that attempt to clarify what it means to "ensure" an adequate level of protection. These principles set a high bar that would seem to make it difficult to reach a conclusion that U.S. law does, in fact, ensure adequate protection...