The Court of Justice of the European Union (the “CJEU”) decided yesterday for the invalidity of the Decision 2000/520/EC of 26 July 2000 (the “Safe Harbour Decision”), which held that personal data transferred from the EU to the US under the EU/US Safe Harbour scheme was adequately protected. The CJEU decision of yesterday was in line with the Advocate General (the “AG”) opinion of 23 September 2015.
Background of the Case
An Austrian citizen user of Facebook lodged a complaint with the Irish data protection authority (the “Irish DP Commissioner”). The citizen argued that in view of the activities of the US intelligence services, in particular the National Security Agency (the “NSA”), and the current law and practices of the US, there was no real protection against surveillance by the US of the citizen’s personal data transferred from the EU to the US. The complaint was logged in Ireland, which is the location of Facebook’s headquarters in Europe.
The Irish DP Commissioner rejected the complaint on the basis that the Safe Harbour Decision concluded that the Safe Harbour scheme ensured an adequate level of protection of the personal data of EU citizens transferred to the US.
The High Court of Ireland, before which the case has been brought, referred to the ECJ in order to ascertain whether the Safe Harbour Decision had the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection for personal data transferred to that country.
The judgement
The CJEU found that the Safe Harbour Decision was invalid as it failed to comply with the requirements set out by the Directive 95/46/EC (the “Data Protection Directive”) on the grounds that: (i) the Safe Harbour Decision failed to state that the US in fact ensures a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order; and (ii) it restricted the national supervisory authorities’ powers to decide whether the Safe Harbour Decision was compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.
Furthermore, the CJEU decided that the existence of a decision by which the European Commission finds that a third country ensures an adequate level of protection of personal data (such as the Safe Harbour Decision) does not prevent national supervisory authorities from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from the EU to a third country.
Consequences of the judgment
The consequences of the invalidation of the Safe Harbour Decision will affect companies carrying out personal data transfers from the EU to the US.
Any company transferring data from EU to the US will have to quickly re-assess how to comply with EU and the national legislation of the countries from which persona data is collected and transferred to the US, as the US does not currently ensure and adequate level of protection for such personal data.
Pending the implementation of a revised Safe Harbour scheme, any company transferring personal data to the US will need to review its current position. In the UK, there could be several ways to ensure that personal data is legally transferred to the US such as the use of model contract clauses or binding corporate rules, but this should be assessed on a case by case basis.
In the meantime, many US companies with existing data transfer agreements (or more general commercial agreements also regulating personal data transfers the US) with parties located in the EU could be in breach of their agreements. This is because the US companies will not be able to rely on their registration with the Safe Harbour scheme to fulfil their contractual obligation to comply with the EU and national data protection legislation. Therefore, a due diligence of the relevant agreements would be necessary.
by Jose Saras and Natalia Porto.
(Jose Saras is a partner at Preiskel & Co LLP and can be contacted here. Natalia Porto was an associate at Preiskel & Co LLP.)