The Court of Justice of the European Union’s decision declaring the EU-US Safe Harbor framework invalid as a mechanism to legitimize transfers of personal data from the EU to the US might also impact some other jurisdictions declared by the European Commission as providing an adequate level of protection by reason of its domestic law or of the international commitments it has entered into.
On October 6, 2015, the Court of Justice of the European Union (CJEU) ruled the EU-US Safe Harbor framework invalid as a mechanism to legitimize transfers of personal data from the EU to the US. By decision 2000/520/EC the European Commission declared the Safe Harbor principles, a joint development and effort with the US Department of Commerce, were supposed to ensure an adequate level of protection for personal data transferred from the European Union to organizations established in the United States.
On the basis of a dispute between Austrian law student Max Schrems and the Irish Data Protection Commissioner, the CJEU was requested to analyze whether a local DPA was bound by the European Commission’s decision regarding the Safe Harbor or not.
In its decision, the CJEU concluded that the fact that the European Commission finds that a third country ensures an adequate level of protection does not prevent a supervisory authority of any member state from examining the claim of a person concerning the protection of his or her rights and freedoms in regard to the processing of personal data relating to him or her, which has been transferred from a member state to that third country when that person claims that the law and practices in force in the third country do not ensure an adequate level of protection.
While primary effects would inevitably impact the international transfer of data from the EU to the US, the reasoning behind the CJEU’s decision might also impact some other jurisdictions declared by the European Commission as providing an adequate level of protection (complete list of countries here).
Among other countries, Argentina has been considered to provide an adequate level of protection (Decision 2003/490/EC of June 30, 2003) which in practice have resulted in a free flow of personal data from the EU to Argentina, and vice-versa. Since 2003, companies and individuals have relied on the adequacy decision as a means to freely export and import personal data.
This decision of the CJEU could trigger new cases in which the relevant European Data Privacy Authorities might wish to analyze whether a European Commission’s decision declaring a country to provide adequate level of protection, for instance Argentina, remains valid or not. However, if that were the case, in our opinion there are strong arguments to uphold that the situation in Argentina is different from the one in the CJEU’s analysis, particularly the existence of a federal law granting similar rights to data subjects as those recognized by the Directive 95/46 of the European Union as well as a Data Protection Authority enforcing those rights.