In a milestone decision on transatlantic data protection, the European Court of Justice (ECJ) issued its judgment in the Max Schrems case on, October 6, 2015, declaring the EU-U.S. Safe Harbor invalid. As many predicted, the judgment follows the opinion of Advocate General Bot, published less than two weeks ago, and rules that the Safe Harbor does not supersede the powers of EU Member State authorities to scrutinize the handling and transfer of personal data outside the EU.
The key reasons given by the ECJ for declaring the Safe Harbor decision invalid include: 1) the Safe Harbor’s overly general provision for self-certified companies to disregard the Safe Harbor principles where they conflict with national security, public interest and law enforcement requirements; and 2) the inability for EU citizens to pursue legal remedies in order to gain access to personal data or to obtain the rectification or erasure of such data where it is transferred to the U.S.
In addition, the ECJ decided that while data protection authorities (DPAs) cannot adopt measures contrary to a European Commission decision until such time as the decision is declared invalid by the Court, DPAs must be able to examine with complete independence whether transfers are compliant with the EU Data Protection Directive and, in particular, whether the level of protection in the U.S. for a specific type of data transfer is “essentially equivalent to that guaranteed in the EU legal order.”
In a press conference held following the publication of the judgment, the Commission confirmed that its objectives are: (i) to guarantee the protection of EU citizens’ personal data when transferred to the U.S.; (ii) to step up ongoing talks with U.S. authorities regarding transatlantic data flows and, in particular, with a view to finalizing a new Safe Harbor version 2.0; and (iii) to issue guidance to national DPAs to ensure a coordinated response to alternative ways to transfer data. We understand that the Article 29 Working Party (the EU’s data protection advisory body) is set to meet later this week for initial discussions.
While the Commission appears to be focusing its efforts on negotiations with the U.S., the question still remains as to whether Safe Harbor version 2.0 will be sufficient to address the concerns raised by the ECJ. Indeed, the U.S. Secretary of Commerce expressed in a press release deep disappointment in the Court’s decision, claiming it “creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.”
Ultimately, businesses relying on the EU-U.S. Safe Harbor, whether for intra-group data transfers or for transfers to third parties, will need to reassess their choice of international data transfer solutions and decide whether to adopt alternative mechanisms, such as Binding Corporate Rules or EU standard contractual clauses. It is difficult to predict at this stage how DPAs will enforce the ECJ decision in the short-term, although in a statement released by the UK’s Information Deputy Commissioner, he acknowledged that it may take businesses who previously relied on the Safe Harbor some time to review alternative solutions.