Legal Update: EU-US Safe Harbor Ruled Invalid by the Court of Justice of the European Union
8 October 2015
EU-US Safe Harbor Ruled Invalid by the Court of Justice of the European Union
In a much-anticipated and far-reaching decision, the Court of Justice of the European Union ("CJEU") has ruled that the Safe Harbor agreement between the European Union and the United States is an invalid mechanism for the transfers of data from the EU to the US. The Safe Harbor, which had been devised by the European Commission and the U.S. Department of Commerce in 2000, has worked as a framework for the transfers of personal data from the EU to recipients in the US in compliance with the restrictions on the transfers of personal data as set out in the Data Protection Directive 95/46/EC, which allows transfers of personal data only if a non-EU third country ensures, or the Commission have found such a non-EU third country to ensure, an adequate level of protection for personal data.
In the case (C-362/14), which concerned a dispute between Austrian law student Max Schrems and the Irish Data Protection Commissioner, the CJEU was asked by the High Court of Ireland to consider whether a data protection supervisory authority was bound by the European Commission’s decision according to which the Safe Harbor provided an adequate level of protection for European data. As an answer to this question, the CJEU states that no provision of the Data Protection Directive prevents oversight by the national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission decision. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive. However, the CJEU further states that it is ultimately the Court of Justice which has the task of deciding whether a Commission decision is valid or not.
The CJEU went beyond the original and was of the opinion that the Safe Harbor does not in fact provide an adequate level of data protection as the legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.
Obviously, the CJEU’s decision will have a significant and immediate impact for any business currently relying on the Safe Harbor arrangement in their transfers of personal data to the US. If Safe Harbor has been used as the only data export mechanism, the national data protection authorities are likely to find that protection afforded by the Safe Harbor is not adequate and to suspend the data transfer on the ground of the Safe Harbor. Thus, it is clear that companies which transfer personal data between the EU and the US should consider other legal grounds for transfer, such as the use of the Commission-approved Standard Contractual Clauses or other conditions, including obtaining the consent of the data subject. It would also be advisable to review the contracts with service providers in order to assess whether the Safe Harbor has been used for the transfers and, if so, whether there are any other suitable contractual means to legitimize the transfers.
Also, the Article 29 Working Party (an independent advisory body composed of representatives from the national data protection authorities of the EU Member States) is aware that this decision has major consequences for all stakeholders. For these reasons, in order to provide a coordinated analysis of the CJEU’s decision and to determine the consequences on transfers, a first round of discussions between experts is to be organized already this week in Brussels.
Please feel free to contact our data protection & privacy specialists should you want to discuss the implications of the decision in more detail.
Erkko Korhonen
Senior Associate
Telephone: +1 202 826 8800 (US) or +358 40 483 5763 (Finland)
erkko.korhonen@hannessnellman.com
Anssi Suominen
Associate
Telephone: +358 9 2288 4302 or +358 40 519 9998
anssi.suominen@hannessnellman.com