The Data Protection Directive (95/46/EC) provides that European companies may transfer personal data to countries outside the European Economic Area if such a country ensures an adequate level of personal data protection. Such an adequate level can be established in a number of ways, one of which is a declaration of the EU Commission approving a country’s personal data protection regime, certain mechanisms in countries or the legislation in certain sectors. Other options are consent of the data subject, implementing binding corporate rules or executing EU model clauses between the European entity that transfers the personal data and the company that receives such data.
In its decision of 26 July 2000 (“Safe Harbour Decision”), the EU Commission declared that US undertakings which adhere to the US Safe Harbour Principles, a self-certification mechanism, ensure an adequate level of data protection. This enables European companies to transfer personal data to such entities, without the need to take additional contractual measures to justify the data transfer as such. Many US companies have therefore ensured that they are Safe Harbour compliant. This Safe Harbour Decision has now been declared invalid by the European Court of Justice (“ECJ”), in its judgment of 6 October 2015.
The judgment was rendered in response to a question posed by the Irish High Court in which it wished to ascertain whether the Safe Harbour Decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data. The Irish supervisory authority had been confronted with a complaint from an Austrian student relating to the transfer of his personal data by Facebook Ireland to the United States. The student believed that in the light of the 2013-Snowden revelations concerning the activities of the US National Security Agency (“NSA“), the Safe Harbour framework did not ensure an adequate level of protection of his personal data. The Irish supervisory authority had rejected this complaint by referring to the fact that the EU Commission had decided in 2000 that the Safe Harbour framework ensures an adequate level of data protection.
The ECJ first stated that the existence of an EU Commission decision, declaring that a third country ensures an adequate level of personal data protection, cannot reduce or eliminate the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the Data Protection Directive.
This entails that the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the Data Protection Directive. Nevertheless, the ECJ pointed out that it alone has jurisdiction to declare an EU act, such as the Safe Harbour Decision, invalid.
In its validity assessment of the Safe Harbour Decision the ECJ first observed that the EU Commission did not find that the US ensured an adequate level of personal data protection by reasons of its national law or its international commitments. The EU Commission merely examined the Safe Harbour Principles, which is applicable solely to US undertakings which adhere to it. In addition, US national security, public interest and law enforcement requirements can deviate from and prevail over the Safe Harbour Principles.
With regard to the assessment whether the US essentially maintains a level of protection equivalent to the EU, the ECJ concludes that:
- US legislation violates the fundamental right to respect for private life by allowing storage of all personal data, without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use;
- US legislation violates the fundamental right to effective judicial protection by not providing legal remedies to individuals in order to access, rectify or delete personal data relating to him/her.
For all those reasons, the ECJ declares the Safe Harbour Decision invalid. As a consequence the Irish supervisory authority is required to examine the complaint against Facebook’s data transfers with all due diligence and to decide whether this particular transfer to US servers should be suspended on the ground that the US does not afford an adequate level of personal data protection.
This judgment also implies that undertakings need to take action if they are currently relying on the Safe Harbour Decision to justify personal data transfers outside the European Economic Area.
Alternative solutions to ensure an adequate level of personal data protection when transferring personal data outside the EEA can be achieved by:
- obtaining consent from the data subject for the transfer;
- implementing binding corporate rules;
- executing model clauses between the data exporter and data importer;
- depending on the national legislation: by obtaining a permit.
It remains to be seen whether this groundbreaking decision will also have an impact on the ongoing negotiations at European level for the new General Data Protection Regulation and the negotiations with the US in the light of the Transatlantic Trade and Investment Partnership.