In a verdict that could affect thousands of companies, the European Court of Justice (“ECJ”) has ruled that the so-called “Safe Harbour Agreement”, a pact that allowed data transfers between the US and EU, is invalid. According to Europe’s highest court personal data is not sufficiently protected in the US as it can be accessed by American authorities.

Companies, such as Facebook or Google, can no longer base the transfer of personal data to servers in the US on the so called “Safe Harbour Decision” of the European Commission (“Commission”) dated 26 July 2000. Yesterday the ECJ declared the Commission’s decision invalid because, among other reasons, the Safe Harbour decision enables interference by US public authorities with the fundamental rights of individuals and the Commission did not refer to any rules in the US that limit such interference or to the existence of effective legal protection against it.

The European Data Protection Directive provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. Yesterday the ECJ ruled that while the Commission may find that a third country ensures an adequate level of protection, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the Data Protection Directive. Therefore the national data protection authorities are not bound by the EU Commission’s Safe Harbour Decision of July 2000.

At the same time the ECJ declared the Safe-Harbour Decision invalid. According to the judges the EU Commission was required to find that the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the Data Protection Directive. Instead the Commission merely examined the Safe Harbour scheme and did not take into consideration that US authorities are not bound by the agreement. US national security legislation allows US authorities to access personal data which is stored on US servers.

The case before the ECJ was brought by the Austrian citizen Maximillian Schrems who had been fighting over Facebook’s handling of their users’ personal data for years.

For now the judgment has the consequence that the Irish supervisory authority (which is involved in the case at hand) is required to decide whether, pursuant to the Data Protection Directive, the transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data. 

Regardless of the Irish supervisory authority’s decision, the ECJ ruling could affect thousands of companies which transfer data to US servers based on Safe Harbour as the legal basis.

Businesses that rely on Safe Harbour principles to transfer personal data from the EU to the US will need to review their practices and contracts promptly to ensure that they can comply with EU laws.