Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Tina Cowen
    • D A T Green
    • Karthyaeni Vittala
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Mark Clough
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina Korgol
    • Maria Constantin
    • Sophia Yakhno
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

The European Court of Justice invalidates the Safe Harbour

October 7, 2015By Preiskel & Co

The Court of Justice of the European Union (the “CJEU”) decided yesterday for the invalidity of the Decision 2000/520/EC of 26 July 2000 (the “Safe Harbour Decision”), which held that personal data transferred from the EU to the US under the EU/US Safe Harbour scheme was adequately protected. The CJEU decision of yesterday was in line with the Advocate General (the “AG”) opinion of 23 September 2015.

 

Background of the Case

An Austrian citizen user of Facebook lodged a complaint with the Irish data protection authority (the “Irish DP Commissioner”). The citizen argued that in view of the activities of the US intelligence services, in particular the National Security Agency (the “NSA”), and the current law and practices of the US, there was no real protection against surveillance by the US of the citizen’s personal data transferred from the EU to the US. The complaint was logged in Ireland, which is the location of Facebook’s headquarters in Europe.

The Irish DP Commissioner rejected the complaint on the basis that the Safe Harbour Decision concluded that the Safe Harbour scheme ensured an adequate level of protection of the personal data of EU citizens transferred to the US.

The High Court of Ireland, before which the case has been brought, referred to the ECJ in order to ascertain whether the Safe Harbour Decision had the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection for personal data transferred to that country.

The judgement

The CJEU found that the Safe Harbour Decision was invalid as it failed to comply with the requirements set out by the Directive 95/46/EC (the “Data Protection Directive”) on the grounds that: (i) the Safe Harbour Decision failed to state that the US in fact ensures a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order; and (ii) it restricted the national supervisory authorities’ powers to decide whether the Safe Harbour Decision was compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.

Furthermore, the CJEU decided that the existence of a decision by which the European Commission finds that a third country ensures an adequate level of protection of personal data (such as the Safe Harbour Decision) does not prevent national supervisory authorities from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from the EU to a third country.

Consequences of the judgment

The consequences of the invalidation of the Safe Harbour Decision will affect companies carrying out personal data transfers from the EU to the US.

Any company transferring data from EU to the US will have to quickly re-assess how to comply with EU and the national legislation of the countries from which persona data is collected and transferred to the US, as the US does not currently ensure and adequate level of protection for such personal data.

Pending the implementation of a revised Safe Harbour scheme, any company transferring personal data to the US will need to review its current position. In the UK, there could be several ways to ensure that personal data is legally transferred to the US such as the use of model contract clauses or binding corporate rules, but this should be assessed on a case by case basis.

In the meantime, many US companies with existing data transfer agreements (or more general commercial agreements also regulating personal data transfers the US) with parties located in the EU could be in breach of their agreements. This is because the US companies will not be able to rely on their registration with the Safe Harbour scheme to fulfil their contractual obligation to comply with the EU and national data protection legislation. Therefore, a due diligence of the relevant agreements would be necessary.

 

by Jose Saras and Natalia Porto.

(Jose Saras is a partner at Preiskel & Co LLP and can be contacted here. Natalia Porto was an associate at Preiskel & Co LLP.)

Latest Preiskel & Co blog posts
  • Claim against NHS Trust for breach of DPA 1998 and misuse of private information dismissed
    April 28, 2022
  • TikTok Class action for the Misuse of Child Personal Data
    April 28, 2022
  • ICO consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018
    April 20, 2022
  • European Strategy for Artificial Intelligence – a framework to regulate AI and its potential impact on the UK
    April 19, 2022
  • Meta hit by 17 million euro fine by Irish regulator
    April 19, 2022
  • Ofcom has mandated that telecoms providers ensure British Sign Language (BSL) for 999
    March 18, 2022
  • Ofcom publishes statement on the future of telephone numbers
    March 15, 2022
  • German court sends biometric data questions to the ECJ
    February 23, 2022
  • Meta fined £1.5m by CMA
    February 7, 2022
  • International data transfer agreement and addendum laid before Parliament
    February 4, 2022
  • CMA publishes statement of scope in music and streaming market study
    February 1, 2022
  • Google Privacy Sandbox faces European Commission complaint from German publishers
    January 24, 2022

The Preiskel Blog

  • Claim against NHS Trust for breach of DPA 1998 and misuse of private information dismissed 28 Apr 2022
  • TikTok Class action for the Misuse of Child Personal Data 28 Apr 2022
  • ICO consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018 20 Apr 2022
  • European Strategy for Artificial Intelligence – a framework to regulate AI and its potential impact on the UK 19 Apr 2022

Preiskel news

  • Daniel Preiskel and Xavier Prida lecturing to Academia Mexicana del Derecho Informático and Abogado Digital
  • Preiskel & Co advises Mexico-based premium content production company Dopamine
  • Danny Preiskel was ranked as a Global Elite Thought Leader in Telecoms & Media by WhosWhoLegal Data 2022
  • Danny Preiskel featured in GCCM (Global Carrier Community Magazine)
Preiskel tweets
  • @jwrosewell @m4aow @w3c @IABTechLab Our pleasure!61 days ago
  • RT @jwrosewell: Great work from @Preiskel and the whole @m4aow team. Thank you. Much for @w3c, @IABTechLab, and others to consider in this…61 days ago
  • RT @TC_4KBW: Google’s battle with publishers shows that at every turn it seeks to block others from competing. it blocked header bidding, b…61 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2022 | Site map | Legal notices | Privacy | Cookie Policy | Privacy | Fraud Notice