On 6 October 2015, the European Court of Justice (the ECJ) handed down a landmark ruling in the case Schrems v Data Protection Commissioner. The Schrems judgment has sent shockwaves throughout the European Union and the United States, but may also become relevant in the Dutch Caribbean.
The ECJ effectively nullified what is known as the EU-US Safe Harbor Framework. Essentially what this means is that personal data may no longer be transferred to the US from the EU under the existing safe harbor scheme. The ECJ partially based its reasoning on Edward Snowden’s 2013 revelations and publications relating to mass government surveillance in the US by the NSA, thus holding that insufficient safeguards are in place in the US with respect to the data of EU citizens. Additionally, the ECJ reasoned that the US allows the large-scale collection and transfer of personal data of Europeans, without any form of redress or effective judicial protection afforded to the latter.
What is Safe Harbor?
The Safe Harbor framework was derived and adopted pursuant to a decision by the European Commission (the EC) on the basis of authority conferred upon it by the EU’s current Data Protection Directive. The Directive gives the EC the authority to decide whether the transfer of personal data outside the EU receives an “adequate level of protection” in the countries said personal data is being transferred to. Accordingly, in a 2000 decision, the Safe Harbor Framework was put into effect, allowing companies based in the US to store the personal data of Europeans (coming from servers in the EU) on US-based servers without having to adhere to the EU’s stringent privacy laws and guidelines. The Safe Harbor framework allowed for US companies to “self-certify” their compliance with EU data protection law standards. A “promise” to comply, if you will, which many have argued has gone insufficiently controlled and become a free for all. Furthermore, while self-certified companies may adhere to the Safe Harbor guidelines, US public authorities such as the NSA, are not subject to it.
What does this mean?
While the Schrems decision does not order an immediate end to EU-US data transfers, it does however give EU regulators the right to investigate and suspend these data transfers if they find that they do not provide sufficient protection that is in line with EU guidelines. Therefore, while legal and adequate in the US, the stringency of protection may very well be illegal in the EU. In addition, the ruling gives national data-protection authorities the right to override any data transfer agreements that give rise to a cause of concern with respect to how the personal data of Europeans are being handled.
Implications for the Dutch Caribbean?
For our jurisdictions, while part of the Kingdom of the Netherlands and subject to adherence to rulings by the Dutch Supreme Court (i.e. our highest court), the Schrems ruling has no immediate effect for Aruba, Curacao, Sint Maarten, Bonaire, Sint Eustatius and Saba, as all the islands currently have OCT status within the EU. This means that they are not part of the EU and the EU acquis (i.e. legislation, legal acts, and court decisions constituting the body of EU law) does not apply to them. However, review of the OCT status of Bonaire, Sint Eustatius and Saba (the BES islands) and the possibility of changing to a OMR status, in which EU law would apply to the BES, was set to take place by the Dutch parliament in 2015. However, at this time no such discussions have yet taken place. Should the status of the BES islands change, Schrems could very well have effects that stretch to data transfers from the BES islands to the US.
The coming months will determine how regulators fill the current void. In the interim, companies making use of the Safe Harbor framework to transfer personal data from the EU to the US are encouraged to evaluate their current structure for compliance and await further guidelines from Member States and EU bodies on a high level.