On the 6th October, 2015, the European Court of Justice (CJEU) ruled on the adequacy of the data privacy protections afforded by Safe Harbor within Europe; ultimately declaring them insufficient and the process invalid. The US/EU Safe Harbor process was developed by the US Department of Commerce alongside the European Union to allow US Companies to comply with EU Directive 95/46/EC on the protection of personal data; a process that was until recently declared compliant and valid with the directive by the European Commission. The move to overturn the decision of the Commission, dated 26th July, 2010, was due to the fact that they did not consider the US legislation which overrides Safe Harbor. This overriding legislation permits US government authorities to obtain the personal data of all citizens of the European Union.
The case has arisen following the revelations made by Edward Snowdon that information that was supposedly protected under Safe Habor was being used for nonspecific surveillance and monitoring operations. Following from this Mr Schrems, an Austrian citizen whose personal data had been captured in Europe but eventually stored by Facebook in the US, made an official complaint to the Irish Data Protection Commissioner, highlighting that Safe Harbor does not afford EU citizens adequate data protection from US authorities. This complaint was rejected by the Commissioner and the case was referred for Judicial Review by the High Court of Ireland who sought direction from the CJEU.
The potential impacts of this decision to invalidate Safe Harbor are far reaching, with many companies relying in part on their compliance with Safe Habor to ensure they work lawfully with regards to data protection in Europe. In addition, it has been confirmed that there will be no ‘grace period’ with respect to this decision, and Safe Harbour is invalid effective immediately. Companies will therefore have to ensure that going forward they have the alternative mechanisms in place to comply with EU legislation. Further guidance will be provided by the CJEU in due course, therefore it is unlikely that any action will be taken against any companies in the immediate future. However, businesses should be aware that complaints may be brought against them directly if they do fail to comply with all applicable legislation.
It is therefore recommended that action is taken immediately to ensure that adequate protections are employed by all companies.