The Court of Justice of the European Union (CJEU) has ruled that the European Commission decision establishing the ‘Safe Harbor’ framework does not eliminate or reduce national authorities’ duties to assess compliance with EU data protection laws.  The CJEU also found that the decision is invalid as it does not sufficiently protect the fundamental rights of EU citizens.

In an unusual move, which highlights the importance of the issues at hand, the CJEU has expedited its usual decision-making process and given its judgment in the Schrems case.  This follows the publication of the opinion of Advocate General Bot less than two weeks ago (see here).

The CJEU found that EU data protection law does not prevent oversight of transfers to third countries by EU national authorities.  Even where the Commission has adopted a decision, national authorities must be able to examine, with complete independence, whether the transfer of personal data to a third country complies with the requirements of EU law.

In respect of the validity of the Commission decision, the CJEU found that the Commission was required to find that the US in fact ensured a level of protection of fundamental rights equivalent to that under EU law.  The Commission failed to make such a finding.  The CJEU found that the framework enabled interference by US public authorities with the fundamental rights of persons without effective legal protection or the existence of rules limiting such interference.  Such access on a generalised basis to the contents of electronic communications must, the CJEU noted, be regarded as compromising the essence of fundamental rights.

The CJEU also found that the Commission did not have the power to restrict national authorities from determining whether the decision is compatible with the protection of fundamental rights, a provision explicitly set out in the Safe Harbor framework.

The CJEU’s decision that the Safe Harbor framework is invalid has serious consequences for those companies which rely on the framework and may have a major effect on such companies’ operations. The framework allows for transfers to the US without contravening the general prohibition under EU data protection law on transfers outside of the EEA to countries deemed not to provide an adequate standard of protection, of which the US is one. 

Over 3,000 US companies are currently certified under the Safe Harbor framework, relying on it to legitimise transfers by affiliates and other companies with which they do business. Such certification can no longer be relied upon to legitimise a transfer of personal data to the US.

The Safe Harbor framework was not the only method of legitimising transfers to the US.  Irish businesses currently relying on Safe Harbor must now consider alternative options including Model Contracts and Binding Corporate Rules (BCRs).