No ‘Safe Harbour’ for EU: What Does the CJEU Decision Mean?

Thanks to our excellent relationship with law firm Allen & Overy, we are very pleased to provide you with this overview of the key recent finding by the EU Court of Justice regarding the Safe Harbour for data coming from Europe.

What has happened?
The EU Court of Justice (CJEU) has declared the Commission’s 2001 decision on Safe Harbour to be invalid, with immediate effect. The CJEU has also held that the existence of any Commission decision that a third country ensures an adequate level of protection (which applies, for example, to Argentina, Canada, Israel, New Zealand, Switzerland and Uruguay) cannot reduce the powers of national data protection authorities, opening up the possibility of future challenges to those adequacy findings as well.

This CJEU judgment has wide ramifications, both in respect of the U.S. Safe Harbour scheme but also beyond.

What is Safe Harbour?
Under the Data Protection Directive, transfers of personal data outside the EEA may, in principle, take place only if the receiving country ensures an adequate level of protection of the data.

The Commission may find that a particular country ensures adequate protection, or other mechanisms can be used to legitimise the transfer, such as using the standard contractual clauses adopted by the Commission (the Model Clauses), or Binding Corporate Rules (for intra-group transfers). The Commission made a finding of adequacy with respect to transfers to U.S. companies who have signed up to the Safe Harbor scheme.

What is the case about?
Max Schrems lodged a complaint about the transfer of his personal data from Facebook in Ireland to Facebook’s U.S. servers. He argued that, following the Snowden revelations in 2013 concerning mass surveillance of data by U.S. intelligence services, data should not be transferred to the U.S. on the grounds that U.S. law does not offer sufficient protection.

Schrems's complaint was initially rejected by the Irish national data protection authority. However, following appeal to the Irish High Court, which in turn referred certain questions to the CJEU, the CJEU has ruled on two issues: (a) the validity of the Safe Harbor regime in relation to data transfer to the U.S, and (b) whether national data protection authorities can investigate and, if necessary, suspend data transfers, notwithstanding the existence of the Commission’s decision that the receiving country is adequate.

What did the EU Court of Justice decide?
The CJEU, in general agreement with Advocate General Bot’s opinion, has declared that the EC decision that Safe Harbor provides adequate protection is invalid. It emphasised that only the CJEU could make such a determination of invalidity.

Additionally, the CJEU confirmed that the Data Protection Directive does not prevent oversight by national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission adequacy decision.

The Irish DPA must examine Mr Schrems’ complaint to decide whether transfer of the data of Facebook’s European subscribers to the U.S. should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

Comments are closed.