Articles

Data transfers to the US: the European Court of Justice declares that the EU Commission’s Safe Harbour Decision is invalid

Data transfers to the US: the European Court of Justice declares that the EU Commission’s Safe Harbour Decision is invalid

Data transfers to the US: the European Court of Justice declares that the EU Commission’s Safe Harbour Decision is invalid

07.10.2015

The Data Protection Directive (95/46/EC) provides that European companies may transfer personal data to countries outside the European Economic Area if such a country ensures an adequate level of personal data protection.

This article was co-written by Valerie Vanryckeghem

Such an adequate level can be established in a number of ways, one of which is a declaration of the EU Commission approving a country’s personal data protection regime, certain mechanisms in countries or the legislation in certain sectors. Other options are consent of the data subject, implementing binding corporate rules or executing EU model clauses between the European entity that transfers the personal data and the company that receives such data.

In its decision of 26 July 2000 (“Safe Harbour Decision”), the EU Commission declared that US undertakings which adhere to the US Safe Harbour Principles, a self-certification mechanism, ensure an adequate level of data protection. This enables European companies to transfer personal data to such entities, without the need to take additional contractual measures to justify the data transfer as such. Many US companies have therefore ensured that they are Safe Harbour compliant. This Safe Harbour Decision has now been declared invalid by the European Court of Justice (“ECJ”), in its judgment of 6 October 2015.

The judgment was rendered in response to a question posed by the Irish High Court in which it wished to ascertain whether the Safe Harbour Decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data. The Irish supervisory authority had been confronted with a complaint from an Austrian student relating to the transfer of his personal data by Facebook Ireland to the United States. The student believed that in the light of the 2013-Snowden revelations concerning the activities of the US National Security Agency ("NSA"), the Safe Harbour framework did not ensure an adequate level of protection of his personal data. The Irish supervisory authority had rejected this complaint by referring to the fact that the EU Commission had decided in 2000 that the Safe Harbour framework ensures an adequate level of data protection.

 

The ECJ first stated that the existence of an EU Commission decision, declaring that a third country ensures an adequate level of personal data protection, cannot reduce or eliminate the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the Data Protection Directive.

 

This entails that the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the Data Protection Directive. Nevertheless, the ECJ pointed out that it alone has jurisdiction to declare an EU act, such as the Safe Harbour Decision, invalid.

 

In its validity assessment of the Safe Harbour Decision the ECJ first observed that the EU Commission did not find that the US ensured an adequate level of personal data protection by reasons of its national law or its international commitments. The EU Commission merely examined the Safe Harbour Principles, which is applicable solely to US undertakings which adhere to it. In addition, US national security, public interest and law enforcement requirements can deviate from and prevail over the Safe Harbour Principles.

 

With regard to the assessment whether the US essentially maintains a level of protection equivalent to the EU, the ECJ concludes that:

 

  • US legislation violates the fundamental right to respect for private life by allowing storage of all personal data, without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use;
  • US legislation violates the fundamental right to effective judicial protection by not providing legal remedies to individuals in order to access, rectify or delete personal data relating to him/her.

For all those reasons, the ECJ declares the Safe Harbour Decision invalid. As a consequence the Irish supervisory authority is required to examine the complaint against Facebook’s data transfers with all due diligence and to decide whether this particular transfer to US servers should be suspended on the ground that the US does not afford an adequate level of personal data protection.

 

This judgment also implies that undertakings need to take action if they are currently relying on the Safe Harbour Decision to justify personal data transfers outside the European Economic Area.

 

Alternative solutions to ensure an adequate level of personal data protection when transferring personal data outside the EEA can be achieved by:

 

  • obtaining consent from the data subject for the transfer;
  • implementing binding corporate rules;
  • executing model clauses between the data exporter and data importer;
  • depending on the national legislation: by obtaining a permit.

It remains to be seen whether this groundbreaking decision will also have an impact on the ongoing negotiations at European level for the new General Data Protection Regulation and the negotiations with the US in the light of the Transatlantic Trade and Investment Partnership. We will keep you posted.

Team

Related news

29.07.2020 NL law
Over temperaturen ten tijde van corona

Articles - Met haar standpunt ten aanzien van het meten van temperaturen van werknemers, geeft de Autoriteit Persoonsgegevens (AP) verduidelijking over de reikwijdte van haar toezicht. Deze nuancering houdt in dat, als er geen sprake is van verwerking van persoonsgegevens, de AVG niet geldt en de AP dus niet handhavend kan optreden.

Read more

03.07.2020 NL law
E-book NOW-2: Second Temporary Emergency Bridging Measure Work Retention

Articles - On 17 March 2020, the Dutch cabinet announced the first emergency package of support measures to alleviate the economic consequences of the corona crisis. This emergency package inter alia comprised the First Temporary Emergency Bridging Measure for the purpose of Work Retention (“NOW-1”) and the Temporary Bridging Measure for Self-Employed Persons (“Tozo-1”).

Read more

27.07.2020 NL law
Outsourcing laws and Regulation in the Netherlands – 2020

Articles - Are there any additional legal or regulatory requirements for outsourcing transactions undertaken by government or public sector bodies? What formalities are required to transfer, lease or license assets on an outsourcing transaction? Or, What are the most material legal or regulatory requirements and issues concerning data security and data protection that may arise on an outsourcing transaction?

Read more

03.07.2020 NL law
E-book NOW-2: Tweede tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid

Articles - Op 17 maart 2020 kondigde het kabinet het eerste noodpakket aan met steunmaatregelen om de economische gevolgen van de coronacrisis te dempen. Onderdeel van dit noodpakket zijn onder andere de Eerste tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid (“NOW-1”) en de Tijdelijke overbruggingsregeling zelfstandige ondernemers (“Tozo-1”).

Read more