In a strongly worded decision, Europe's highest court
yesterday struck down the Safe Harbor accord enabling transatlantic
data transfers between the United States and the European Union.
The European Court of Justice ("ECJ") ruled that United
States' Safe Harbour scheme fails in two fundamental ways:
first, it fails to provide an adequate level of protection for EU
citizens' data; and, second, it offers EU citizens no judicial
means of redress in the United States and denies EU data protection
authorities the power to review complaints challenging the
va¬lidity of the data transfers to third-party countries. The
impact of this decision has the potential to be far reaching.
Of great significance is the ECJ's ruling that, in
determining whether another jurisdiction's scheme affords
adequate protection under EU data protection laws (thereby
permitting data transfers), one must look not simply at the
proposed scheme, but also at the domestic laws and international
commitments of the juris¬diction in question to determine
whether in totality the jurisdiction in question affords a level of
protection of fundamental rights equivalent to that guaranteed
within the EU. The ECJ concluded that legislation per¬mitting
public authorities to have access on a generalized basis to the
content of electronic communica¬tions must be regarded as
compromising the essence of the fundamental right to respect for
"National security, public interest and law enforcement
requirements of the United States prevail over the safe harbor
scheme, so that United States undertakings are bound to disregard,
without limitation, the protective rules laid down by that scheme
where they conflict with such requirements," the ECJ said.
"The United States safe harbor scheme thus enables
interference, by United States public authorities, with the
fundamental rights of persons, and the Commission decision does not
refer either to the existence, in the United States, of rules
intended to limit any such interference or to the existence of
effective legal protection against the interference."
The European Commission approved the Safe Harbour principles in
July 2000 and, at that time, deemed those organizations that agreed
to be bound by them to be appropriate and acceptable recipients of
data transfers from EU member states. Over the last 15 years,
massive amounts of data transferred between organizations in EU
member states and the United States, and significant commercial
arrangements worth billions of dollars have been premised on the
approval and ongoing validity of the Safe Harbour.
The ECJ has struck down this cornerstone of international data
sharing, with no guidance as to next steps.
It will be interesting to see if Canada and Canadian
corporations – which are subject to public challenges of
privacy compliance – become the beneficiary of this decision,
as organizations in the United States and their EU counterparts
look to Canada to house and process data for North American
operations. Historically, Canada has had a strong international
reputation for protecting personal information. However, the
protection of personal in¬formation afforded by Canada's
privacy laws (federal and certain provincial models) have been
questioned lately. Of particular interest will be whether some of
the legislation (e.g., Bill C-51) introduced by the Canadian
federal government affording Canadian law enforcement officials
greater access to data pushes Canada into the realm of not
providing adequate protection to personal information, thereby
putting Canada in the same category as the United States and
cutting off Canadian access to data transfers from Europe.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).