07 October 2015

ECJ declares US-EU Safe Harbor decision invalid

In a verdict that could affect thousands of companies, the European Court of Justice (“ECJ”) has ruled that the so-called “Safe Harbor Agreement”, a pact that allowed data transfers between the US and EU, is invalid. According to Europe’s highest court personal data is not sufficiently protected in the US as it can be accessed by American authorities.

Companies, such as Facebook or Google, can no longer base the transfer of personal data to servers in the US on the so called “Safe Harbor Decision” of the European Commission (“Commission”) dated 26 July 2000. Yesterday the ECJ declared the Commission’s decision invalid because, among other reasons, the Safe Harbor decision enables interference by US public authorities with the fundamental rights of individuals and the Commission did not refer to any rules in the US that limit such interference or to the existence of effective legal protection against it.

The European Data Protection Directive provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. Yesterday the ECJ ruled that while the Commission may find that a third country ensures an adequate level of protection, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the Data Protection Directive. Therefore the national data protection authorities are not bound by the EU Commission’s Safe Harbor Decision of July 2000.

At the same time the ECJ declared the Safe-Harbor Decision invalid. According to the judges the EU Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the Data Protection Directive. Instead the Commission merely examined the Safe Harbor scheme and did not take into consideration that US authorities are not bound by the agreement. US national security legislation allows US authorities to access personal data which is stored on US servers.

The case before the ECJ was brought by the Austrian citizen Maximillian Schrems who had been fighting over Facebook’s handling of their users’ personal data for years.

For now the judgment has the consequence that the Irish supervisory authority (which is involved in the case at hand) is required to decide whether, pursuant to the Data Protection Directive, the transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data. 

Regardless of the Irish supervisory authority’s decision, the ECJ ruling could affect thousands of companies which transfer data to US servers based on Safe Harbor as the legal basis.

Businesses that rely on Safe Harbor principles to transfer personal data from the EU to the US will need to review their practices and contracts promptly to ensure that they can comply with EU laws.

Source: ECJ decision

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    we briefly compare some key general differences between PRC law-governed contracts and common law-governed contracts.

    08 August 2018

    This note focuses on consent, and in particular consent requirements as set forth by the GDPR which are numerous.

    01 August 2018

    Organized into 19 stand-alone law topics, this article presents perspectives and on-the-ground experience from an experienced legal counsel in China.

    15 November 2017

    NDRC released the new Administrative Measures for Overseas Investment (draft for public comment) .

    03 November 2017

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.