European Court of Justice

The European Commission recently determined that the Privacy Shield Framework is adequate to legitimize data transfers under EU law, providing a replacement for the Safe Harbor program. The Privacy Shield is designed to provide organizations on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Organizations that apply for Privacy Shield self-certification by September 30, 2016, will be granted a nine-month grace period to conform their contracts with third-party processors to the Privacy Shield’s new onward transfer requirements.

Read the full article here.

With the United Kingdom having voted to leave the European Union (Brexit) on 23 June 2016, the free flow of personal data between the United Kingdom and EU and European Economic Area (EEA) countries is at risk. Should the United Kingdom also leave the EEA and thus become a “third country” for the purposes of data transfers, EU/EEA businesses that are currently retaining UK service providers or data centres to handle or store personal data, or are planning to do so, would have to carefully re-evaluate this decision.

Read the full article here.

In its decision on October 6, 2015 (file-no. C-362/14), the European Court of Justice (ECJ) stated that the commonly used Safe Harbor Principles, which were previously deemed to be a safe way to legally transfer data to the United States, are non-binding for national data protection authorities. Thus, after this judgment, the harbor is not “safe” anymore. The court’s decision causes great difficulties for a wide range of internationally operating companies that regularly transfer personal data to their U.S. parents.

The Facebook Case

In this case, the ECJ had to decide whether the national Irish data protection authority could independently investigate and assess a complaint from an Austrian citizen who claimed that the Irish subsidiary of Facebook illegally transferred his personal data to the United States and illegally saved them on a U.S. server. The Irish data protection authority rejected the complaint on the grounds that Facebook submitted itself to abide by the Safe Harbor Principles. Based on a decision of the European Commission on July 26, 2000, data transfer to a company that submitted itself to the Safe Harbor Principles, on which the U.S. Department of Commerce elaborated, was considered under European law to be “safe” (i.e., an adequate level of data protection was guaranteed). As Facebook met these standards, the transfer to Facebook’s U.S. server should have been considered absolutely safe and thus legal, given the European Commission’s decision.

Reasoning of the Decision

This held true until October 6, when the ECJ clearly rejected the widely used and regarded as secure Safe Harbor practice, despite the European Commission’s decision in 2000. The judges criticized several aspects of the Commission’s decision.

First, the ECJ found that the European Commission lacked the authority to make a binding decision on behalf of the national data protection authorities about whether companies that submitted themselves to abide by the Safe Harbor Principles met the required standard for a legal transfer. In addition, the ECJ emphasized that the European Commission failed to properly consider in its decision that in case of a conflict of laws, U.S. law supersedes the Safe Harbor Principles. Last but not least, the European Commission did not consider the key fact that U.S. state authorities are basically granted un-restricted access to any data transferred to the United States (as has been proven by the National Security Agency (NSA) scandals that Edward Snowden exposed). The ECJ complained that state authorities were not covered, and even more importantly not bound, by the Safe Harbor Principles. Also, the court noted that the individuals concerned had no administrative or judicial means of getting informed about their saved data or enforcing the saved data to be deleted.

What Does This Ruling Mean – in the Facebook Case and in General?

For the reasons above, the ECJ required the Irish state authority to examine the Facebook complaint with due diligence and, at the conclusion of its investigations, to decide irrespective of the Safe Harbor Principles whether the transfer of the data of European Facebook users to the United States should be suspended on the grounds that the United States does not afford an adequate level of protection of personal data. This equally applied to all other EU member states and was not limited to the data transfer of Facebook. European citizens may request the national state authority for data protection to investigate whether the transfer of specific personal data to the United States complies with European standards.

General Standard Clauses

Another previously safe way to legally transfer data to third-party countries was the use of so-called general standard clauses that were enacted by the European Commission and guaranteed an adequate level of protection of personal data. However, the court’s reasons that justified the invalidity of the Safe Harbor Principles suggest that the general standard clauses would most likely share the same destiny. The general standard clauses were negotiated and enacted by the European Commission, which lacked the authority to do so. Also, the general standard clauses are risky, because the European Commission has not properly assessed that U.S. state agencies would have un-restricted and comprehensive access to any transferred data. However, the general standard clauses will enjoy a grace period until the ECJ declares them non-binding.

The ECJ’s recent decision will certainly increase the already-existing legal insecurities relative to data transfer from Europe to the United States. The newly negotiated agreement between Brussels and Washington on the transatlantic transfer of personal data will most likely have little impact on this legal un-certainty, as the judges expressly doubted the European Commission’s authority to enact binding rules for member states’ data protection authorities.

European employers should exercise caution in the event of the dismissal of an obese employee.  The European Court of Justice (ECJ) determined that obesity may qualify as severe disability if it significantly restricts participation in working life (ECJ, judgment of December 18, 2014 in Case C-354/13).  This decision may be relevant not only for dismissals but also in hiring decisions. In order to avoid undue discrimination, an employment rejection letter should in no way whatsoever refer to the applicant’s weight.  The plaintiff in the present case was an obese nursery teacher who filed a suit against his employer, the Danish community Billund, because of his dismissal.  The employer argued that the dismissal was due to declining numbers of children being registered.  The nursery teacher argued that the reason for his dismissal, after 15 years of employment, was his obesity, which constituted undue discrimination due to disability.

The ECJ clarified that European Union law does not contain a general prohibition with respect to obesity discrimination in employment.  Nevertheless, obesity may qualify as severe disability if it significantly interferes with full and equal participation in working life.  This can happen in cases of a particularly serious obesity of long duration, which causes physical, intellectual and mental impairment.  According to this definition, the cause of the obesity is irrelevant.  Now, following the decision of the ECJ, the Danish trial court has to decide if the nursery teacher’s obesity significantly interferes with full and equal participation in working life.

The decision of the ECJ may have significant impact on German employment law.  Up until now, only conditions resulting from obesity (e.g., diabetes or chronic back pain) qualified as a severe disability.  Following the decision of the ECJ, obesity itself may qualify as severe disability.  It remains to be seen whether – and, if so, at which level –the ECJ will establish thresholds under which a dismissal or a rejection of an applicant is considered discriminatory due to obesity.  Until then, the decision of the ECJ gives rise to considerable legal uncertainty.

The German Federal Labor Court made a very clear ruling regarding job applicants in Germany who are not offered the position for which such applicants applied.  In the Federal Labor Court’s view, a rejected applicant has no right to know whether another applicant was offered or accepted the position.  (Federal Labor Court, verdict dated April 25, 2013, case number 8 AZR 287/08)

This case concerned a plaintiff who was born in the former Soviet Union in 1961.  She applied for a position that was advertised by a German company, the defendant in this case.  Even though the plaintiff fulfilled all required qualifications, she was rejected and did not receive a job offer.  The plaintiff presumed that this decision was based on discrimination for her gender, age and origin.  The Federal Labor Court submitted the case to the European Court of Justice to determine whether the job applicant had a right to information regarding why she was not selected, or if another applicant was selected for the position.  The European Court of Justice rendered its verdict on April 19, 2012 (case number C415/10), and stated that rejected job applicants had no right to this information under European law.

The German Federal Labor Court dismissed the case because it could not detect any evidence of discrimination.  The mere refusal of the defendant to disclose any information related to the application process and/or the hiring could not establish the presumption of an inadmissible discrimination, according to Section 7 of the German General Equal Treatment Act.

However, this ruling has to be viewed with great caution.  The German decision is not in line with the aforementioned ruling in the same matter of the European Court of Justice.  The European judges, in contrast to the German Court, stressed that the complete refusal to give out any information regarding the hiring could actually be evaluated as a presumption of possible discrimination.  This remarkable difference in the two verdicts was not explained by the German judges and as long as their reasoning remains unclear, German employers should provide a short explanation to rejected applicants when they ask the reason why they have been rejected for an open position (e.g., the other candidate better satisfies the qualification profile, made a better impression at the job interview, seems to be a more motivated and energetic person, etc.).