On October 6, 2015, the Court of Justice of the EU (CJEU) ruled that the Safe Harbor decision from the EU Commission (Decision 2000/520) is invalid. The ruling seems more severe than the opinion rendered on September 23, 2015, by Advocate General Yves Bot, also proposing to declare this decision invalid.
First, the CJEU states very clearly that an EU Commission decision finding that a third country ensures an adequate level of protection of the personal data cannot eliminate or reduce the powers given by the Charter of Fundamental Rights and by Data Protection Directive 95/46 to National Data Protection Authorities (NDPAs). In other words, it remains the duty of the NDPAs to review whether a processing is compliant with EU and national laws. An NDPA cannot, however, decide that an EU Commission decision is invalid. Only the CJEU has this authority. Therefore, an NDPA, when dealing with a claim that leads it to consider that a decision of the EU Commission is invalid, must bring the proceeding before the appropriate national court, so it can refer the case to the CJEU.
Where the CJEU seems more severe than its Advocate General is on the decision of the EU Commission concerning the Safe Harbor. The CJEU states that the EU Commission was required to find that the U.S. ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to the one guaranteed in the EU. The CJEU continues by noting that the EU Commission did not make such finding, but merely examined the Safe Harbor scheme. The CJEU notes that the U.S. does not offer the required level of protection for two main reasons:
- The U.S. authorizes, on a general basis, storage of all personal data of all persons whose data are transferred from the EU without differentiation, limitation or exception being made in light of the objective pursued and without objective criteria to limit the access of public authorities to the data and its subsequent use.
- The U.S. does not provide legal avenues for individuals to access their personal data or to obtain rectification or erasure of such data; this compromises the essence of the fundamental right to effective judicial protection, such protection being inherent in the existence of the rule of law.
Without need to review the Safe Harbor itself to support its decision, the CJEU concludes nonetheless that the same two shortcomings are also present in the Safe Harbor scheme.
Finally, the CJEU, after noting that the EU Commission decision on Safe Harbor restricts the NDPA’s powers to challenge its decision, states that the EU Commission does not have this authority.
For all these reasons, the CJEU declares the EU Commission decision on Safe Harbor invalid. The direct effect of this decision will be that NDPAs must review whether personal data transfers based on the “dead” Safe Harbor need to be suspended. The ruling of the CJEU will have an important impact on companies that have relied on Safe Harbor only. For these companies, it seems urgent to think about standard contractual clauses, binding corporate rules or, when possible, another legal basis to render data transfer from the EU to the U.S. compliant.
Click here for the press release from the Court of Justice of the European Union (CJEU).