The Court of Justice of the European Union (CJEU) has today declared that the Commission Decision 2000/520/EC (the Safe Harbour Decision) is invalid. This means that companies can no longer rely on Safe Harbour certification in order to legitimise the transfer of personal data from the EU to the US. Impacted companies will need to put alternative arrangements in place immediately to legitimise their transfers of personal data to the US, such as the Model Contractual Clauses or Binding Corporate Rules (BCRs).

The decision also means that the Data Protection Commissioner (the DPC) must now examine Mr Schrems’ complaint and decide whether, pursuant to the Data Protection Directive 95/46/EC, transfer of the data of Facebook’s European subscribers to the US should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

The powers of national supervisory authorities when the Commission has adopted an adequacy decision

The CJEU ruled that the existence of a Commission decision, such as the Safe Harbour Decision, finding that a third country ensures an adequate level of protection of the personal data transferred does not prevent national supervisory authorities from examining whether the transfer of a person’s data to the third country complies with the requirements of EU data protection law. However, the CJEU held that it alone has jurisdiction to declare an EU act, such as a Commission adequacy decision, invalid. 

The validity of the Safe Harbour Decision

The CJEU highlighted that the protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary (Digital Rights Ireland and Others, C-293/12 and C-594/12 cited). 

The CJEU ruled that the Safe Harbour Decision is invalid on the grounds that it enables interference by US public authorities with the fundamental rights of persons whose data is transferred from the EU to the US "without limitation". It held that the derogation in the Safe Harbour Decision permitting US public authorities to have access on a generalised basis to the content of electronic communications must be regarded as "compromising the essence of the fundamental right to respect for private life ,as guaranteed by Article 7 of the Charter". 

In addition, the CJEU held that the Safe Harbour Decision, by not providing any possibility for EU citizens to obtain access, rectification or erasure of their data, or judicial redress with regard to the further processing of their data in the US "does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter".

Finally, the CJEU found that the Safe Harbour Decision restricts national supervisory authorities’ powers to suspend data flows to an organisation that has self-certified its adherence to Safe Harbour, except under certain restrictive conditions establishing a high threshold for intervention. The CJEU held that the Commission did not have competence to restrict national supervisory authorities’ powers in that way.

Comment

The CJEU’s decision will put further pressure on the EU-US to reach a speedy agreement on the reform of Safe Harbour.  Negotiations have been stuck for some time on the European Commission’s recommendation that US authorities should only be allowed to access data covered by Safe Harbour to the extent that is strictly necessary or proportionate to the protection of national security. This effectively requires US authorities to restrict their electronic data surveillance practices. The CJEU’s decision today shows the importance of this revision being agreed to in order for the negotiations to move forward.

EU companies must take immediate steps to review their contracts with US companies to check the grounds on which they are legitimising their EU-US data transfers. As Safe Harbour is no longer a valid legal basis to transfer data to the US, Irish companies who currently rely on the regime will need to evaluate alternative data transfer arrangements, such as the Model Contracts or BCRs. We will provide more detailed analysis on the impact of the decision over the coming days.