On 6 October 2015 the Court of Justice of the European Union issued its judgment in Case C-362/14 (Maximillian Schrems v Data Protection Commissioner), declaring that the Commission’s US Safe Harbour Decision is invalid.
The Data Protection Directive (Directive 95/46/EC) provides that the transfer of personal data to a country outside the European Economic Area may, in principle, take place only if that third country ensures an adequate level of protection of the data. The directive also provides that the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments.
On 26 July 2000, the Commission adopted Decision 520/2000/EC (the “Safe Harbour Decision”) recognizing the Safe Harbour Privacy Principles and Frequently Asked Questions, issued by the Department of Commerce of the United States, as providing adequate protection for the purposes of personal data transfers from the EU to companies in the US which had signed up to the Principles.
In July 2013, Maximillian Schrems, an Austrian Facebook user, lodged a complaint with the Irish data protection authority, taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services, the laws of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. The Irish authority rejected the complaint, on the ground, in particular, that Safe Harbour Decision the Commission already considered that, under the Safe Harbour scheme, the United States ensured an adequate level of protection of the personal data transferred.
The case was brought before the High Court of Ireland, which, by reference for a preliminary ruling, asked the EU Court of Justice whether that Commission decision has the effect of preventing a national supervisory authority from autonomously assessing the level of protection of the data offered by the United States in the context of a complaint filed by a citizen.
The Court of Justice held that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the transferred personal data cannot eliminate or even reduce the powers available to the national supervisory authorities. Thus, even though the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must still be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive.
Most importantly, the ECJ also ruled that the Safe Harbour Decision is invalid, for the main reason that the Safe Harbour scheme does not prevent interference by the United States public authorities with the fundamental rights of persons.
The judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer to the United States of the European Facebook subscribers' personal data should be suspended on the ground that that country does not guarantee an adequate level of protection of personal data.
The ruling has far-reaching implications for European companies which transfer personal data to the USA. Indeed, national data protection authorities (DPAs) are no longer bound by the Safe Harbour Decision and will be free to begin enforcement actions in respect of transfers to the USA they deem to be non-compliant with the applicable privacy law. Accordingly, businesses must review the existing contracts with all US counterparties and, should such contracts rely on the Safe Harbour as a legal basis for transferring personal data to the USA, they shall resort to the alternative existing compliance mechanisms available to them, such as the model contract clauses approved by the European Commission.
The Art. 29 Working Party has issued a press release, expressing the intention to carry out a coordinated analysis of the Court’s decision and to determine the consequences on international transfers. The Commission also issued a statement, undertaking to issue further guidance and work closely with DPAs in order to “[avoid] a patchwork of potentially contradicting decisions by the national data protection authorities and therefore provide predictability for citizens and businesses alike.”
The consequences in Italy
The Italian data protection authority (Garante) issued a short statement, stressing the need for a coordinated approach of all the various national privacy authorities on this matter.
Formally the Garante's Safe Harbour general authorization of 2001 is still valid, as it has not been officially repealed. However, in the light of the ECJ's decision and since it is likely that the Garante will repeal its general authorization in the next few days, Italian businesses should no longer rely on the Safe Harbour to transfer personal data to the USA, thus resorting to the existing alternative legal basis, like the standard model clauses approved by the European Commission, which have not been affected by the decision of the Court.