In a new turn to the Maximilian Schrems case in Ireland, the Irish High Court on 18 June 2014 decided to refer several questions to the European Court of Justice (ECJ), including whether national data protection authorities in Europe may disregard the Safe Harbor decision of the European Commission when assessing whether the U.S. recipient of data ensures an adequate level of data protection required under EU law. Depending on the outcome of the case, European and U.S. companies may not be able to rely on Safe Harbor to legitimise cross-border data transfers in the future.
The Safe Harbor Principles, which have been agreed upon by the European Commission and the U.S., ensure the required adequate level of data protection when transferring personal data from Europe to the U.S. Many companies transferring personal data from Europe to the U.S. use this option instead of Standard Contractual Clauses, individual consent, or Binding Corporate Rules.
In the 18 June decision [number 2013 No. 765JR], the Irish High Court referred a number of questions concerning the application of the Safe Harbor Principles to the ECJ under Article 267 of the Treaty on the Functioning of the European Union (TFEU). The key issue of the referral is the question of whether the decision of the European Commission on Safe Harbor is binding on national authorities.
Earlier in the Schrems case, the Irish Data Protection Commissioner had rejected a complaint against the transmission of personal data because it complied with the Safe Harbor Principles. Furthermore, the Irish supervisory authority for data protection did not see a reason to begin investigations because the transmission had been conducted upon the grounds of Safe Harbor and therefore based upon the decision of the European Commission.
This binding effect has now been questioned by the High Court, combined with a reference to both current developments and Articles 7 and 8 of the European Charter of Fundamental Rights. Particularly, Justice Hogan submitted to the Court the question of whether national supervisory authorities for data protection have the right to conduct their own investigations and come to their own decision even if the data are transferred on the grounds of the Safe Harbor Principles.
It is hard to predict when and how the ECJ will decide, particularly after its unexpected decision in the Google case. Besides the ruling on Safe Harbor, it will be interesting to see if the Court will take the opportunity to provide any rulings more broadly concerning the scope of European data protection.
On a separate track, as we reported previously, negotiations between the European Commission and the United States concerning revisions to the Safe Harbor Principles are ongoing, although those developments would surely be affected by a ruling adverse to Safe Harbor.
Antoinette von Schweinitz