The ECJ decision concludes a 2013 legal challenge by European privacy campaigner Max Schrems. Schrems initiated action against several US internet behemoths in the Irish courts for alleged collaboration with the US National Security Agency's Prism Programme. The Irish courts referred the case to the ECJ on the grounds that the European Safe Harbor agreement governed the flow of data to the US. The ECJ has now ruled that European data protection authorities cannot rely on the umbrella of Safe Harbor to govern their decisions.
But Safe Harbor is not the only way to protect data transferred out of the EEA. Alternative methods include the Model Contractual Clauses or Binding Corporate Rules (‘BCRs’). In fact the majority of multi-national companies use the Model Contractual Clauses which are approved by the European Commission to transfer personal data outside of the EEA. For transfers within a corporate group, but outside of the EEA, BCRs can be used.
And regardless of whether a company uses Safe Harbor, the Model Contractual Clauses or BCRs, US legislation still permits US authorities to force access to US companies’ data stored in the EU. That is the case even though the disclosure is in breach of EU data protection laws as can be seen from the recent US Court Order requiring Microsoft in the US to produce email content stored on servers in Dublin.
The decision could sound the death knell for the Safe Harbour framework set up 15 years ago to help companies on both sides of the Atlantic conduct everyday business but which has come under severe criticism following 2013 revelations of mass US snooping.