In a decision sure to have widespread implications for over 4,500 US companies doing business in Europe and anyone else who accesses data from the continent, the European Court of Justice ruled yesterday that the 15 year-old data-sharing arrangement known as “Safe Harbor” is invalid.

Those unfamiliar with this case, should consider examining our previous posts on this topic here and here. In short, complainant, Austrian Maximillian Schrems, filed a complaint against Facebook with the Irish Data Protection Commissioner (DPC) after discovering the company had gathered over 1,200 pages of his personal information. Pointing to the “Safe Harbor” provision of the 1995 EU Privacy Directive 94/46/EC stating that US companies may collect an EU user’s personal data after obtaining his or her consent if there is an “adequate level of data protection,” the DPC rejected Mr. Schrem’s complaint. Mr. Schrems then filed an application for judicial review, which eventually led to a hearing in March 2015 in front of Advocate General Yves Bot on whether the DPC could or should have investigated Mr. Schrems’ complaints. AG Bot’s September 23rd advisory opinion, while addressing the threshold issue of the DPC’s role (stating the DPC should have answered Mr. Schrems’ complaint), went a step further and stated “Safe Harbor” to be invalid. Pointing to Mr. Schrems’ example and Edward Snowden’s 2013 revelations concerning data collection by US intelligence agencies, AG Bot stated: “the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data,” a right guaranteed by the EU’s Charter of Fundamental Human Rights. The case quickly moved to the European Court of Justice (ECJ) which, moving at break neck speed, reached its decision in less than two weeks.

The ECJ determined the threshold question of whether the Irish DPC even had the power to rule on the adequacy of the Safe Harbor. The ECJ answered that question affirmatively: “. . . the national supervisory authorities are responsible for monitoring compliance with the EU rules concerning the protection of individuals with regard to the processing of personal data, [and] each of them is therefore vested with the power to check whether a transfer of personal data from its own Member State to a third country complies with the requirements laid down by Directive 95/46”.

The ECJ then examined the DPC’s decision and agreed with the more expansive opinion that Safe Harbor provisions are incompatible with the right to privacy under the EU Directive. In doing so, the ECJ appears to have thrown its weight behind privacy activists like Mr. Schrems and others incensed by what they believe is the U.S. Government’s failure to assure privacy protections such as the “right to be forgotten” that exists in the EU.

While it may take some time before the true impact of this decision is understood, it is very likely to throw into doubt the way many companies doing business in the EU or those with EU employees will deal with the situation if they do not meet another exception to the proscription on data transfer under Directive 95/46/EC. Some exceptions, like amending contracts to permit piece by piece data transfer, ad-hoc contracts, which must be reviewed by state privacy officers, or consent may work in the interim as the ECJ suggested its decision would foster a repair to the Safe Harbor system. But it remains to be seen what the full impact of the ruling will be for multiple small operations who may not benefit from contractual language permitting data transfer.

The ECJ’s ruling is below:

  1. Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
  2. Decision 2000/520 is invalid.