The European Court of Justice (“ECJ”) held today that the Safe Harbor Privacy Principles for transfer of data to the US are invalid, opening questions on past and future data transfers that rely on such data protection principles.

The Safe Harbor Privacy Principles Case

The Safe Harbor Privacy Principles scheme set out the terms under which it is possible to transfer personal data from the European Union to companies based in the United States that undertook to comply with such principles. This applies even though the United States is considered as a country that does not ensure an adequate level of protection to personal data under European Union legislation.

The case addressed by the ECJ involved a social media user whose data was transferred from Ireland to the US – where the company has its servers – on the basis of Safe Harbor principles. The user challenged the data transfer in light of the recent leaks made by Edward Snowden concerning the activities of the United States intelligence services. The ECJ now held that

  1. a EU supervisory authority has the full power to investigate and suspend the transfer of personal data to the US, irrespective of the EU decision validating the Safe Harbor Principles, and
  2. the European Commission decision validating the Safe Harbor Principles is invalid as it does not ensure a level of personal data protection equivalent to the one guaranteed within the European Union.
  3. The position of the European Court of Justice is mainly based on the fact that the Safe Harbor Principles are not binding on public authorities in the US. Such authorities would be able to access to transferred data also in circumstances that are not meant to be strictly necessary, thereby compromising the fundamental rights of EU citizens and preventing them from accessing their own processed data,.

What happens now to data flows?

The impact of this ground-breaking decision on businesses – as we are currently discussing with a number of clients – is no doubt significant, causing most organizations to rethink their cross border data transfers (as our colleaguesalso pointed out here).

The questions that we are receiving from our clients today include:

  • What happens with regard to the processing of data performed so far under the Safe Harbor Principles?
  • Should the Safe Harbor certified entities block the future processing of personal data alrady transferred form the the EU?

The decision of the ECJ is not per se sufficient to suspend data flows to the US, as such power is vested in the national data protection authority, which, in the case of Italy, is the Garante per il trattamento dei dati personali (the “Garante Privacy”). However, in light of such decision, data transfers based solely on the Safe Harbor Principles are likely to be challenged.

What will happen to future transfer of data from the EU to the US?

Companies will no doubt have to find alternative legal grounds to transfer data to the US; particularly, pursuant to EU laws, data controllers shall either rely on Binding Corporate Rules, which require a complex process of approval, or enter into the Standard Contractual Clauses, which are more likely to be used.

However, some doubt that the reasoning of the ECJ may be extended to impact also data transfers to the US performed on the basis of the EU Commission Decisions concerning Binding Corporate Rules and Standard Contractual Clause. This because pursuant to US laws, also in such cases the US public authorities would be authorized to process the transferred data, with the consequence that also these decisions might be held invalid.

And what about Italy?

Since the ruling of the ECJ is likely to apply immediately, the practical effect of such decision would also depend on the actions of the national data protection authorities. The Garante Privacy released today a short statement, without setting up specific local guidelines. The Garante Privacy highlighted that a coordinated action at a European data protection supervisory authorities level is no doubt required, and they are accordingly assessing the best ways to identify common guidelines

So, until the new guidelines are released, there remains some uncertainty. Multinational companies will no doubt have to urgently review the flow of personal data currently transferred from the EU to the US, so as to assess whether additional steps need to be taken in order to ensure that the processing of data is fully compliant with EU (and local) laws.