On 6 October 2015, the Court of Justice of the European Union (CJEU) delivered its judgment on the ‘Schrems vs Facebook’ case, ruling that European internet users’ personal data are not adequately protected against access by US surveillance agencies. In doing so it declared the ‘Safe Harbour’ scheme, which had established simplified procedures for transferring data to the US, invalid.

Background:

In 2013, Austrian law student Max Schrems filed a complaint against Facebook Ireland for violation of data protection laws, arguing that Facebook automatically transmitted all data to the US under the Safe Harbour scheme.

Schrems’ complaint asserted that it is against EU law to transmit data to the US without national authorities in Europe verifying that Facebook complies with European standards of data protection in the US.

The High Court of Ireland had already considered this issue to be a decisive factor in the interpretation of EU law in late September 2014 and thus referred the case to the CJEU for a preliminary ruling. The CJEU conducted proceedings in that regard under case number C-362/14.

When making its decision, the CJEU considered whether the Safe Harbour scheme was in line with EU legislation. The Safe Harbour scheme is based on an agreement drawn up between the EU and the US which provides for self-certification by participating US companies. All such certified companies appearing on the US government’s Safe Harbour list were to qualify as offering adequate protection for personal data transferred to them from the EU.

On 6 October 2015, the CJEU ruled that the Safe Harbour agreement between the US and the EU was invalid, determining that as US companies could not provide an adequate level of protection of personal data. After the revelations made by Edward Snowden, US companies are no longer considered to be a ‘safe harbour’ for European users’ personal data.

Far-reaching implications

The ruling has far-reaching implications for companies in the US and Europe undertaking Transatlantic transfers of personal data. National data protection authorities (DPAs) are no longer bound by the Safe Harbour scheme to allow transfers of personal data from the EEA to the US. DPAs will be free to investigate personal data transfers based on the Safe Harbour and to begin enforcement action in respect of transfers they deem to be non-compliant. Accordingly, businesses must review their existing transfer arrangements and consider the alternative compliance mechanisms available to them, such as model contract clauses.

National DPAs issued holding responses to the ruling. The Commission also issued a statement. It undertook to issue further guidance and work closely with DPAs in order to “[avoid] a patchwork of potentially contradicting decisions by the national data protection authorities and therefore provide predictability for citizens and businesses alike.”