Preiskel & CoPreiskel & Co
Preiskel & Co
  • Home
  • About Us
    • Diversity, Social Responsibility, and Pro Bono
  • Services
    • Corporate
    • Commercial
    • Regulatory
    • Competition & Antitrust
    • Data Protection, Privacy, and Retention
    • Intellectual Property
    • Dispute Resolution
    • Employment
  • Sectors
    • Telecommunications
    • IT, Technology, & Internet
    • Media and Broadcasting
    • Websites, Blogging, & Social Media
    • Film & Television
    • Gambling & Online Gaming
    • Leisure & Retail
    • Energy & Minerals
    • Cryptocurrency & Blockchain
    • Creative Industries
  • People
    • Daniel Preiskel
    • Ronnie Preiskel
    • Tim Cowen
    • Jose Saras
    • Robert Dougans
    • Tina Cowen
    • D A T Green
    • Karthyaeni Vittala
    • Richard Stewart
    • Mor Swiel
    • Ilanit Appelfeld
    • Stephen Dnes
    • Daniel Oakland
    • Robert Harvey
    • Martina Raciti
    • Joanna Coombs-Huang
    • Xavier Prida
    • Mark Clough
    • Stewart White
    • Alison MacFarlane
    • Hannah Leader
    • Peter Dally
    • Antony Corel
    • Sue Warwick
    • Tony Curzon-Price
    • Shardi Shameli
    • Stephen Hornsby
    • Ewelina Korgol
    • Maria Constantin
    • Sophia Yakhno
  • International
  • Blog
  • News
    • Publications
  • Contact
Menu back  

The European Court of Justice invalidates the Safe Harbour

October 7, 2015By Preiskel & Co

The Court of Justice of the European Union (the “CJEU”) decided yesterday for the invalidity of the Decision 2000/520/EC of 26 July 2000 (the “Safe Harbour Decision”), which held that personal data transferred from the EU to the US under the EU/US Safe Harbour scheme was adequately protected. The CJEU decision of yesterday was in line with the Advocate General (the “AG”) opinion of 23 September 2015.

 

Background of the Case

An Austrian citizen user of Facebook lodged a complaint with the Irish data protection authority (the “Irish DP Commissioner”). The citizen argued that in view of the activities of the US intelligence services, in particular the National Security Agency (the “NSA”), and the current law and practices of the US, there was no real protection against surveillance by the US of the citizen’s personal data transferred from the EU to the US. The complaint was logged in Ireland, which is the location of Facebook’s headquarters in Europe.

The Irish DP Commissioner rejected the complaint on the basis that the Safe Harbour Decision concluded that the Safe Harbour scheme ensured an adequate level of protection of the personal data of EU citizens transferred to the US.

The High Court of Ireland, before which the case has been brought, referred to the ECJ in order to ascertain whether the Safe Harbour Decision had the effect of preventing a national supervisory authority from investigating a complaint alleging that a third country does not ensure an adequate level of protection for personal data transferred to that country.

The judgement

The CJEU found that the Safe Harbour Decision was invalid as it failed to comply with the requirements set out by the Directive 95/46/EC (the “Data Protection Directive”) on the grounds that: (i) the Safe Harbour Decision failed to state that the US in fact ensures a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order; and (ii) it restricted the national supervisory authorities’ powers to decide whether the Safe Harbour Decision was compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals.

Furthermore, the CJEU decided that the existence of a decision by which the European Commission finds that a third country ensures an adequate level of protection of personal data (such as the Safe Harbour Decision) does not prevent national supervisory authorities from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from the EU to a third country.

Consequences of the judgment

The consequences of the invalidation of the Safe Harbour Decision will affect companies carrying out personal data transfers from the EU to the US.

Any company transferring data from EU to the US will have to quickly re-assess how to comply with EU and the national legislation of the countries from which persona data is collected and transferred to the US, as the US does not currently ensure and adequate level of protection for such personal data.

Pending the implementation of a revised Safe Harbour scheme, any company transferring personal data to the US will need to review its current position. In the UK, there could be several ways to ensure that personal data is legally transferred to the US such as the use of model contract clauses or binding corporate rules, but this should be assessed on a case by case basis.

In the meantime, many US companies with existing data transfer agreements (or more general commercial agreements also regulating personal data transfers the US) with parties located in the EU could be in breach of their agreements. This is because the US companies will not be able to rely on their registration with the Safe Harbour scheme to fulfil their contractual obligation to comply with the EU and national data protection legislation. Therefore, a due diligence of the relevant agreements would be necessary.

 

by Jose Saras and Natalia Porto.

(Jose Saras is a partner at Preiskel & Co LLP and can be contacted here. Natalia Porto was an associate at Preiskel & Co LLP.)

Latest Preiskel & Co blog posts
  • Important decision impacting how companies must provide personal data requested by data subjects under their access rights
    January 19, 2023
  • NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU
    January 12, 2023
  • Saving the WWW from the W3C
    December 20, 2022
  • Imminent US adequacy decision to be met by legal challenges from privacy advocates
    December 13, 2022
  • Preiskel & Co Client, Nadira Murray’s awards for film “Winners”
    December 13, 2022
  • Telecoms Security Framework (TSF) – Background and Requirements
    December 8, 2022
  • Updated EU Commission decision paves way for 5G on the road and in-flight connectivity innovation
    November 29, 2022
  • Controller Binding Corporate Rules – EDPB adopts new recommendations on the application for approval and the elements and principles of the Rules
    November 25, 2022
  • ICO reveals new transfer risk assessment tool
    November 25, 2022
  • Ofcom publishes new rules for telecoms providers to combat scam calls
    November 23, 2022
  • The Future Is Now: The Disruptive Power of AI and Its Legal Ramifications in The Metaverse
    November 9, 2022
  • CJEU clarifies the interpretation of purpose and storage limitation principles under the GDPR
    October 27, 2022

The Preiskel Blog

  • Important decision impacting how companies must provide personal data requested by data subjects under their access rights 19 Jan 2023
  • NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU 12 Jan 2023
  • Saving the WWW from the W3C 20 Dec 2022
  • Imminent US adequacy decision to be met by legal challenges from privacy advocates 13 Dec 2022

Preiskel news

  • Preiskel & Co’s corporate team advised IXAfrica regarding a highly significant technology infrastructure investment for East Africa
  • Preiskel & Co’s Technology M&A Global Practice Guide published by Chambers
  • Preiskel & Co Client, Nadira Murray’s awards for film “Winners”
  • Preiskel & Co ranked in Chambers for FinTech Legal, Data Protection and Cyber Security
Preiskel tweets
  • Important decision impacting how companies must provide personal data requested by data subjects under their access… https://t.co/J39PFCbg0I7 days ago
  • NIS 2 Directive – Enhanced Common Level Cybersecurity Across the EU. Find out more here: https://t.co/Or9NlgMfXT #CyberSecurity14 days ago
  • Preiskel & Co’s corporate team advised IXAfrica regarding a highly significant technology infrastructure investment… https://t.co/iAVpUxhttj17 days ago
Preiskel & Co LLP
4 King's Bench Walk,
Temple,
London
EC4Y 7DL
United Kingdom

Tel: +44 20 7332 5640
Email: info@preiskel.com

Find us on:

TwitterLinkedinMail
© Preiskel & Co LLP 2023 | Site map | Legal notices | Cookie Policy | Privacy