The European Court of Justice (“ECJ”) has ruled that the Safe Harbour decision, which lets US companies use a single standard for consumer privacy and data storage in both the US and the EU, is invalid.
What is Safe Harbour?
In 2000 the European Commission adopted a decision finding that under the Safe Harbour agreement, the US ensures an adequate level of protection of personal data transferred between the EU and the US. The Safe Harbour agreement means that US companies, voluntarily can commit to respect European data protection standards and today many companies relies on Safe Harbour to lawfully transfer personal data from the EU to the US.
What is the background and the reason of the decision?
The recent ruling of the ECJ says, in short, that the Commission’s decision to approve Safe Harbour does not reduce the powers or obligations of the national supervisory authorities. The ECJ explicitly declares the decision invalid, i.e. the Safe Harbour Agreement does no longer provide for an adequate level of protection of personal data. The ruling comes after the Austrian citizen Max Schrems brought a case against Facebook in Ireland, claiming his privacy had been violated by the NSA’s mass-surveillance programs (first revealed by Edward Snowden). The Irish supervisory authority considered itself not authorized to scrutinize the transfer with reference to the Safe Harbour decision (according to which the transfer of Schrems’ data was OK). Nevertheless the ECJ now sends back the case to the authority for investigation with reference to the authority’s obligation to comply with the European Data Protection Directive. For national security, public interest and law enforcement requirements US authorities have unrestricted access to transferred personal data and thereby the purpose of the Safe Harbour agreement is undermined.
What will be the result of the decision?
As a result of the ruling European data protection authorities can be expected to scrutinize and possibly suspend data transfers based on Safe Harbour. If your company relies on the Safe Harbour scheme to lawfully transfer data to the US, you will need to find another way to achieve compliance. One alternative is to seek and obtain the explicit consent of the data subject, but under many jurisdictions valid consents may be difficult to obtain, especially retrospectively. Another alternative is to use “model clauses” — pre-approved clauses that can be inserted into contracts dealing with data protection.
However, in light of the comprehensive rights that the US authorities de facto have, it is currently difficult to foresee how and if an adequate level of data protection will be achieved in the US. One thing is sure – this decision will lead to a large number of further questions and is likely to radically change the agenda for the ongoing negotiations between the US and the EU on the subject matter.
To view the ECJ’s press release on the decision, please click here.
For further information, please contact Anna Forsebäck.