With these words, the European Court of Justice (ECJ) has just ruled the “Safe Harbor” agreement between the US and EU invalid:
1. Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim ofa person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
As a result, individual European countries can now apply their own regulations for companies’ handling of their citizens’ personal data when that data will flow to the US, creating enormous uncertainty for all contexts in which those transfers take place, which in the age of the Internet is almost all the time. EU countries can, if they wish, choose to suspend the transfer of data to the US, forcing companies to host personal data exclusively within Europe.
For most companies, this will mean a quick turn to “model clauses” executed between European “data controller” companies or affiliates and US “processor” companies, even though the logic of the decision — grounded in misunderstandings about US governmental surveillance of personal information — appears to undermine both model clauses and binding corporate rules (BCRs). Consent of the individual — so fragile, revocable and temporary — is the only major basis for data transfers to the US that remains logically unscathed by this decision, because unlike model clauses and BCRs, it does not rely on fictitious protection of the individual from (mostly fictitious) surveillance.