• Home
  • News
  • Safe Harbor decision declared invalid

06 Oct 2015

Safe Harbor decision declared invalid


The Court of Justice of the European Union (" CJEU ") has this morning handed down of its decision in Maximillian Schrems v Data Protection Commissioner declaring the Commission's US "Safe Harbor" Decision invalid.

"Safe Harbor" 

Under Article 25(1) of the Data Protection Directive (95/46/EC), personal data may only be transferred outside the EEA to a third country if that third country ensures an "adequate level of protection" (or other exemptions apply). The "Safe Harbor" programme, pursuant to European Commission Decision 2000/520/EC (the "Safe Harbor Decision"), provided that where data importers in the United States self-certify that they comply with the Principles set out in the Safe Harbor Decision, any transfers to such entities should be treated as complying with the Data Protection Directive.

This case itself concerned a complaint from Mr Schrems, an Austrian national and Facebook subscriber, to the Irish Data Protection Commissioner. All European Facebook data is processed in Ireland and then transferred to the US where it is stored by its Safe Harbor-certified US parent.

The basis of the complaint arose following the revelations by Edward Snowden of the US Government's "PRISM" surveillance programme. The Irish High Court referred two questions to the CJEU, which were (i) whether a national supervisory authority is bound by the Safe Harbor Decision where the complaint claims that a third country does not ensure adequate protection and (ii) whether the national supervisory authority may/must conduct its own investigation of the matter.

The decision 

Today’s decision follows the Advocate General’s recent opinion that the Safe Harbor Decision is invalid as a basis for transfers of data to the US.  Essentially, it has been held that the Safe Harbor Programme enables interference by US public authorities with the fundamental rights of persons. The Safe Harbor Decision does not refer to the existence of rules or legal protection against such interference.

The following points make up the basis for the CJEU's decision.

  • There is no provision within the Data Protection Directive that prevents oversight by the national supervisory authorities over transfers of personal data to third countries where there has been a Commission decision in respect of them.
  • Where there has been a claim, national supervisory authorities must be able to independently examine whether the transfer of personal data to a third country complies with the Data Protection Directive's requirements.
  • A national authority or person must be able to bring an action before the national courts where they consider a Commission decision invalid. However, the CJEU alone has the jurisdiction to declare a Commission decision invalid.
  • In making the Safe Harbor Decision, the Commission was required to find that the US does in fact ensure a level of protection of fundamental rights that are essentially equivalent to those guaranteed under EU law. The Commission did not make such a finding as it examined the Safe Harbor scheme rather than the laws of the US.
  • US public authorities are not subject to the Safe Harbor programme and US national security, public interest and law enforcement requirements prevail over the scheme. As such, US undertakings are bound to disregard the Safe Harbor programme's rules where such rules conflict with national requirements.
  • There is evidence, highlighted by two Commission communications, that US authorities were able to access and process personal data from the EU in a way incompatible with the purposes for transfer and beyond what was strictly necessary and proportionate for the protection of national security. In addition, individuals have no means of redress concerning the personal data involved.
  • Legislation is not limited to what is strictly necessary where it allows the generalised mass storage of personal data transferred to the US from the EU without (amongst others) an objective criterion for determining the limits for access by public authorities to that data.
  • Legislation permitting generalised access by public authorities to communications compromises the essence of the fundamental right to respect for private life.
  • Legislation not providing for the possibility of legal redress by way of access to personal data or obtaining its rectification or erasure compromises the essence of the fundamental right to effective judicial protection.
  • The Commission had no competence to restrict the national supervisory authorities' powersto question whether the decision is compatible with the protection of the privacy and the fundamental rights and freedoms of individuals.

Effect of the decision

Pending further examination of the full decision, the immediate effects of the decision appear to be that the "Safe Harbor" regime ceases to exist in its current form. Transfers of data from the EU to the US cannot validly be made on the basis of the Decision or the self-certification regime thereunder.  The approximately 5,000 organisations that rely on Safe Harbor will need to consider alternative means of legitimising transfers such as model contractual clauses or binding corporate rules.

Today's decision is binding on the Courts of Member States where the same issue arises. However, it is for the Irish High Court to implement the decision in the specific case concerning Facebook. The Irish Court must now decide whether the transfer of data of Facebook's European subscribers to the US should be suspended on the basis that the US does not provide adequate protection of personal data.

As such, today's decision will require the individual EU Member States to decide whether to suspend data transfers to the US now that the Safe Harbor regime has been held to be invalid. It is likely that the EU and US will now enter into renewed negotiations to update and improve Safe Harbor.

The full decision can be found here >