In its judgment of 6 October 2015 (C-362/14), the Court of Justice of the European Union (“CJEU”) held that transfers of personal data of European citizens to the United States made under the so-called Safe Harbor scheme are subject to significant risks, and declared the corresponding decision of the European Commission to be invalid. As a consequence, EU entities of U.S. companies so far relying on Safe Harbor will need to revise their practice of submitting personal data to the U.S. to comply with EU data protection law.
The background to this CJEU ruling was a complaint lodged by European Facebook user Maximilian Schrems with the Irish data protection authority. Facebook Ireland, the company’s European headquarters, transfers the data of its subscribers to the servers of its parental company in the U.S. Schrems argued that the law and practices of the United States offered no real protection against U.S. surveillance of his data. The Irish authority rejected the complaint relying on the “Safe Harbor” decision of the European Commission of 26 July 2000 (Decision 2000/520/EC). Safe Harbor is a U.S. government framework containing a set of principles on the treatment of sensitive personal data of EU citizens. According to the Commission’s decision, it is assumed that an adequate level of data protection is guaranteed where U.S. companies agree to comply with these principles. In the Irish data protection authority’s opinion, national data protection authorities should thus be prevented from launching investigations into data transfers covered by the Safe Harbor scheme. The case was brought before the High Court of Ireland, which further referred it to the CJEU.
The key elements of the CJEU ruling are as follows:
- Primarily, the CJEU held that a Commission decision finding that a third country ensured an adequate level of data protection could not reduce the national supervisory authorities’ investigative and banning powers granted by EU law. The Member States had to be able to take the measures necessary to safeguard the fundamental right to the protection of personal data under the Charter of Fundamental Rights of the EU.
- Furthermore, the CJEU explicitly declared the Commission’s decision 2000/520/EC to be invalid. In the eyes of the CJEU, the Commission’s decision did not satisfy the requirements of EU data protection law. This finding is, inter alia, based on the fact that the Safe Harbor scheme was not applicable to U.S. public authorities. Thus, legislation permitting U.S. public authorities to have access to the content of electronic communications on a generalized basis would have to be regarded as compromising fundamental rights.
Whether one agrees with the CJEU’s findings or not, this judgment will have substantial impact on international companies’ practice of processing personal data. Data transfers to the U.S. are now associated with high legal uncertainty. Additionally, the ruling is likely to affect not only data transfers to the U.S., but also to other countries which the Commission has previously considered to have adequate data protection regimes. Some of the Safe Harbor scheme’s shortcomings addressed in the CJEU ruling might be mitigated by the so-called “Umbrella Agreement” the U.S. and the EU have been negotiating. However, the extent to which the CJEU ruling will have an impact on the negotiations remains as of yet unclear.