The decision of the Court of Justice of the European Union (“CJEU”) forces Facebook and all other companies collecting and transferring personal data from Hungary to the US to rethink their current practices. One possible solution would be to adopt and register with the Hungarian Data Protection Authority binding corporate rules on the treatment of such data.
In a preliminary ruling proceeding the CJEU invalidated the Safe Harbour Decision adopted earlier by the European Commission. The purpose of the Safe Harbour Decision was to provide a streamlined way for US companies who self-certified that they comply with principles laid down in the Treaty to obtain data from Europe without violating the EU data protection rules. Since many companies rely upon the Safe Harbour scheme to ensure that their US data transfers comply with the data protection rules, this judgment not only affects Facebook but all such companies who will have to look for alternative solutions.
Source: BBC.com via Getty Images
Hungarian companies performing data transfer to the US will have to revisit their data transfer mechanics. In practice this means either obtaining the consent of the data subject or adopting binding corporate rules (BCR) which, however, need to be approved by the Hungarian Data Protection Authority amongst any other involved national data protection authorities.
This decision originates from an Austrian national, Maximillian Schrems, who has been a Facebook user since 2008. Schrems submitted a complaint to the Irish Data Protection Commissioner asking it to prohibit Facebook’s Irish subsidiary transferring his personal data since the US did not ensure an adequate protection against surveillance activities conducted by public authorities. He referred to the revelations made by Edward Snowden concerning the activities of the United States intelligence services like the National Security Agency.
His complaint was rejected by the Irish authority so the case was brought before the High Court of Ireland which requested a preliminary ruling from the CJEU on the question of whether the Safe Harbour Decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and from suspending the contested transfer of data.
The CJEU held that the national data protection authorities have the power to examine, with complete independence, the lawfulness of transfers of a person’s data to a third country when it appears that this country does not provide an adequate level of protection.
Furthermore, the CJEU investigated whether the Safe Harbour Decision is invalid and established that it does not provide an adequate level of data protection as public interest, national security and law enforcement requirements of the US prevail over the Safe Harbour scheme, therefore undertakings are bound to disregard such protective rules provided by the scheme. Consequently, it enables interference by authorities of the United States which creates an unforeseeable risk for those whose data has been transferred.
It follows that the Irish supervisory authority will be required to examine Schrems’ complaint to decide whether the transfer of data of Facebook’s European subscribers to the United States should be suspended on the ground that the US does not afford an adequate level of data protection.
If you would like to discuss the possible consequences for your activity in Hungary and ways to address the implications, do not hesitate to contact us.