6 October 2015, the European Court of Justice (the “ECJ”) concluded that the Safe Harbor Program is in breach of the Data Protection Directive. The ECJ ruled that the level of protection guaranteed by the Program did not meet the level of protection in accordance with the Data Protection Directive when transferring personal data to third countries outside the EU/EEA. The ruling means that going forward, European companies that transfer personal data to the United States must transfer the data on other legal grounds.
Pursuant to the Data Protection Directive, the transfer of personal data to countries outside the EU/EEA is in principle only allowed if the third country, according to law and practice, protects the personal data processing at a level corresponding to the protection under the Data Protection Directive.
The Safe Harbor Program was introduced in 2000 by the European Commission Decision 2000/520/EC as a special regime for transfers of personal data from the EU/EEA to the United States. US companies that signed up for the scheme undertook to adhere to a number of data protection principles and thus Safe Harbor functioned as a form of prior authorization, after which the companies in question were found to have an adequate level of protection of the processing of personal data. Safe Harbor certified companies could then freely receive personal data from the EU, and European companies could this way transfer personal data to these companies.
The European Court’s Decision of 6 October 2015
The case in which the ECJ had to decide concerned an Austrian national who filed a complaint to the Irish Data Protection Commission regarding Facebook's transfer of personal data from the EU to US servers. He claimed that Facebook had failed to ensure adequate protection of his personal data with reference to Edward Snowden’s revelations of the NSA.
The Irish data protection authority rejected the complaint, and the complainant brought the matter before the Irish High Court (the Supreme Court), where he raised questions about the validity of the Safe Harbor Program. The High Court referred the matter to the ECJ.
The ECJ found that the European Commission in its Decision 2000/520/EC had exceeded its authority by limiting the national supervisory authorities to examine the level of protection.
Also, The ECJ ruled that the United States did not actually secure an adequate level of protection through national legislation and international obligations, and the ECJ declared the Safe Harbor Program invalid.
Danish companies currently transferring data from the EU to the United States under the Safe Harbor Program will be required to consider future personal data transfers to ensure that transfers are made in accordance with the Data Protection Directive.
The decision effectively means that companies must base personal data transfers on other grounds, e.g. the Commission's Standard Contractual Clauses or Binding Corporate Rules.
We recommend that companies henceforward use the European Commission's Standard Contractual Clauses, which is an individual binding standard contract for the transfer of personal data to companies in countries that do not have adequate protection in place. The standard contract is approved by the European Commission.
For global group companies, personal data within the group can alternatively be transferred by implementing the so-called Binding Corporate Rules. The rules govern intercompany business processing and transfer of personal data across the world.
Additionally, companies always have the option to obtain an express consent from the person registered in order to transfer the data from the EU to the United States.