Recently, the Iris High Court handed down a groundbreaking precedent in a case known as the 'Schrems 2' case. This precedent is likely to affect the ability of companies to transfer personal information from Europe to USA. This was a proceeding which commenced as a complaint made against Facebook by Max Schrems, an Austrian law student, with the Data Protection Commissioner in Ireland. Schrems claimed that the transfer of his personal information by Facebook out of the European Union to its parent company in USA was contrary to European law and that such transfer should be prohibited.
The essential ground for his claim was that the law in USA does not afford an adequate level of protection to European citizens compared to the level in Europe, in light of the Snowden affair and the wide authority of the American authorities to receive personal information which is protected under privacy laws. In 2016, the Irish Data Protection Commissioner found in favor of Schrems but referred the matter to the Iris High Court. Recently a case was handed down in which it was found that there are concerns regarding the protection of personal information transferred to the USA and that since this is a matter concerning all the citizens of the European Union, it is necessary to approach the High Court of Justice of the European Union (CJEU).
The questions have not yet been referred to the CJEU – since the Irish High Court has suggested to the parties to agree on the drafting of the exact questions to be put for decision. Nevertheless, the Judge has defined three principle questions:
- Should the Data Protection Authority or court conduct its own adequacy analysis of the U.S. system?
- Should the Data Protection Authority or court analyse remedial options for EU citizens in the U.S.?
- Are whatever limitations on remedies which EU citizens face proportionate in the face of preserving the rights and freedoms of others?
This issue is a continuation of a matter from 2015, in the framework of which the CJEU decided that the transfer of personal information from the European Union to the USA via the mechanism known as the Safe Harbor, does not meet the adequacy requirements under European law. As a result, the Safe Harbor arrangement was cancelled and in parallel Facebook – like many other American companies – moved to using a contractual mechanism. However, currently the use of this contractual mechanism is also in doubt. This is a mechanism known as Standard Contractual Clauses – SCC's – which is based on the language of contractual arrangements which the European Union decided gave sufficient protection to privacy.
This has not yet been referred to the CJEU and the procedure before it is expected to take a long time, it seems even until after May 25, 2018 being the date on which the new Directive of the European Union on the Protection of Privacy (GDPR) is to enter into force. This Directive will bring in a standard European privacy law which will apply globally. It is emphasized the adequacy of the transfer of personal information from Europe to various countries is supposed to be re-examined by the European institutions under the strict principles of the GDPR and it is possible that in parallel to the legal proceedings such re-examination may result in a decision as to the adequacy of the US law. It should also be mentioned that about 88% of the transfers of personal information from the European Union to the USA are carried out today using the SCC's mechanism and so many are waiting for the decision of the CJEU on this issue.
This decision will also affect the ability to transfer information from Israel to the USA, since if the European Union decides that the SCC's are not valid, the effect will be that this mechanism does not meet the requirements of Regulation 8(2) of the Protection of Privacy (Transfer of Information to a Database outside the State) Regulations – 2001, since such mechanism would then not meet the requirements of Israeli law. This would be the same result as in the past when the Israeli Privacy Authority decided that the Safe Harbor mechanism did not meet Israeli law requirements following the cancellation of the Safe Harbor mechanism in Europe.
There is an additional mechanism recognized by the European Union for the transfer of information on Europeans to the USA – which is known as the Privacy Shield and it is possible that European and American companies will prefer, at this stage, for so long as the legal situation is not clear, to use this mechanism for the transfer of personal information from Europe to the USA. However, the Israeli Privacy Authority has not yet issued its opinion concerning the validity of the Privacy Shield under the Israeli law for validating the transfer of information on Israelis to the USA, and the general opinion is that it does not meet the requirements.
Links:
The Decision in the Schrems 1 Case – in the CJEU
The judgment in the Schrems 2 Case – in the Irish High Court
The Decision of the Israeli Privacy Authority Concerning the Safe Harbour
|
|
|
