In its decision on October 6, 2015 (file-no. C-362/14), the European Court of Justice (ECJ) stated that the commonly used Safe Harbor Principles, which were previously deemed to be a safe way to legally transfer data to the United States, are non-binding for national data protection authorities. Thus, after this judgment, the harbor is not “safe” anymore. The court’s decision causes great difficulties for a wide range of internationally operating companies that regularly transfer personal data to their U.S. parents.
The Facebook Case
In this case, the ECJ had to decide whether the national Irish data protection authority could independently investigate and assess a complaint from an Austrian citizen who claimed that the Irish subsidiary of Facebook illegally transferred his personal data to the United States and illegally saved them on a U.S. server. The Irish data protection authority rejected the complaint on the grounds that Facebook submitted itself to abide by the Safe Harbor Principles. Based on a decision of the European Commission on July 26, 2000, data transfer to a company that submitted itself to the Safe Harbor Principles, on which the U.S. Department of Commerce elaborated, was considered under European law to be “safe” (i.e., an adequate level of data protection was guaranteed). As Facebook met these standards, the transfer to Facebook’s U.S. server should have been considered absolutely safe and thus legal, given the European Commission’s decision.
Reasoning of the Decision
This held true until October 6, when the ECJ clearly rejected the widely used and regarded as secure Safe Harbor practice, despite the European Commission’s decision in 2000. The judges criticized several aspects of the Commission’s decision.
First, the ECJ found that the European Commission lacked the authority to make a binding decision on behalf of the national data protection authorities about whether companies that submitted themselves to abide by the Safe Harbor Principles met the required standard for a legal transfer. In addition, the ECJ emphasized that the European Commission failed to properly consider in its decision that in case of a conflict of laws, U.S. law supersedes the Safe Harbor Principles. Last but not least, the European Commission did not consider the key fact that U.S. state authorities are basically granted un-restricted access to any data transferred to the United States (as has been proven by the National Security Agency (NSA) scandals that Edward Snowden exposed). The ECJ complained that state authorities were not covered, and even more importantly not bound, by the Safe Harbor Principles. Also, the court noted that the individuals concerned had no administrative or judicial means of getting informed about their saved data or enforcing the saved data to be deleted.
What Does This Ruling Mean - in the Facebook Case and in General?
For the reasons above, the ECJ required the Irish state authority to examine the Facebook complaint with due diligence and, at the conclusion of its investigations, to decide irrespective of the Safe Harbor Principles whether the transfer of the data of European Facebook users to the United States should be suspended on the grounds that the United States does not afford an adequate level of protection of personal data. This equally applied to all other EU member states and was not limited to the data transfer of Facebook. European citizens may request the national state authority for data protection to investigate whether the transfer of specific personal data to the United States complies with European standards.
General Standard Clauses
Another previously safe way to legally transfer data to third-party countries was the use of so-called general standard clauses that were enacted by the European Commission and guaranteed an adequate level of protection of personal data. However, the court’s reasons that justified the invalidity of the Safe Harbor Principles suggest that the general standard clauses would most likely share the same destiny. The general standard clauses were negotiated and enacted by the European Commission, which lacked the authority to do so. Also, the general standard clauses are risky, because the European Commission has not properly assessed that U.S. state agencies would have un-restricted and comprehensive access to any transferred data. However, the general standard clauses will enjoy a grace period until the ECJ declares them non-binding.
The ECJ’s recent decision will certainly increase the already-existing legal insecurities relative to data transfer from Europe to the United States. The newly negotiated agreement between Brussels and Washington on the transatlantic transfer of personal data will most likely have little impact on this legal un-certainty, as the judges expressly doubted the European Commission’s authority to enact binding rules for member states’ data protection authorities.