On 6 October 2015, the Court of Justice of the European Union ("CJEU" or "the Court") issued its judgment in case C 362/14 Maximillian Schrems v Data Protection Commissioner.
The Court ruled on two significant issues:
- The existence of a decision by the European Commission ("the Commission") finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the Data Protection Directive ("the Directive"). Thus, even if the Commission has adopted a decision, when dealing with a claim, national supervisory authorities have the power to examine with complete independence whether the transfer of a person's data to a third country complies with the requirements laid down by the Directive.
- The Court declared Commission decision 2000/520/EC on the adequacy of the EU-US safe harbor arrangement invalid.
The Directive states that personal data can only be transferred to countries outside the EU when an adequate level of protection is guaranteed, and these transfers may only take place if one of the transfer mechanisms set out in the data protection rules is used. These mechanisms include, inter alia¸ standard data protection clauses in contracts between US-EU companies exchanging data, and binding corporate rules for intra-group transfers.
In 2000, the Commission issued decision 2000/520/EC outlining a series of safe harbor principles to which US companies self-certify that they conform. This safe harbor agreement has facilitated data transfers from the EU to the US, but has now been declared invalid by the CJEU.
Following the Court's judgment, the Commission has indicated that its three priorities are to:
- protect personal data transferred overseas;
- continue transatlantic data flows with adequate safeguards; and
- work with national data protection authorities to ensure a coordinated response and uniform application of EU law in the internal market.
The Commission and the national data protection authorities are expected to issue guidance for businesses affected by the judgment shortly.
In response to the ruling, White & Case has put together an action plan Safe Harbor Action Plan (PDF) , which will be updated once such guidance becomes available.
Audrey Oh, a Trainee Solicitor in the Firm's London office, assisted in the development of this article.