The recent “Facebook” decision by the European Court of Justice can be interpreted from two different perspectives, which are not (however) mutually exclusive. The first interpretation is of a legal-technical nature, while the second is political.
Let us start with the first. The facts are known as are the conclusions. The United States is not considered to be a country that guarantees an adequate level of protection in accordance with the Directive on personal data protection, dir. 95/46.
The path is outlined in art. 25 of the Directive, which is hereinafter quoted for convenience and clarity, in order to better understand the past (the decision) and the future (the currently open directions).
1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer, may only take place if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.
4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.
5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.
6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.
Member States shall take the measures necessary to comply with the Commission’s decision”.
In the past the Commission had deemed the level of protection afforded by the Safe Harbour framework to be appropriate, but this decision by the Court shows its disagreement and invalidates the Safe Harbour.
This does not imply, however, that the transfer of personal data to the United States can no longer take place. It can take place on the basis of the express consent of the interested party or on the basis of the Binding Corporate Rules. Therefore either the interested party may give their consent for the transfer or the data controller may adopt management rules approved by the Data Protection Authority that will allow the transfer.
So, what is the difference then? The difference is that it will not be possible to use the Safe Harbour framework, i.e. transfer data to the United States without consent or without pre-approved rules, that is assuming the data to be protected in the United States in the same way as they are in Europe.
From a strictly legal-applicative point of view all comment ends here. Undoubtedly, there will be higher management costs for those who transfer data from Europe to the United States, but there will certainly be no ban.
On the other hand, the political interpretation of the decision which follows roughly a year after the Google Spain case is far more problematic. As mentioned above, in the Court’s opinion, the United States does not provide an adequate level of data protection.
Essentially the Court states that the level of protection of personal data is higher in Europe and that it is the European law which should be applied to European subjects’ personal data (apologies for this simplification, obviously the decision refers to data transfer from Europe under certain conditions). Similar assertions can be found in the Google Spain decision.
The Court anticipates the contents of art. 3 of the forthcoming European regulation for the protection of personal data with another decision which is also political. Then again, personal data protection has constitutional significance in Europe (article 8 of the Charter of Fundamental Rights), but not in the USA. This obviously reflects a different scale of values in two regions of the world, albeit very similar to each other if compared to the Asian region. This of course has a cost, which big players such as Google and Facebook can much more easily afford than small ones. And it underlines that Europe and the United States have not (yet) reached a political agreement on the question.