Recently the European Court of Justice (the ECJ) rendered a
decision invalidating the Safe Harbor Framework between the
European Union (the EU) and the United States which allowed
organizations to transfer personal data from EU member states to
the United States. The decision has resulted in significant
uncertainty for the 4,500 organizations that relied on the
agreement who will now need to implement alternatives for the
transfer of personal data that comply with the ruling.
In 1998, the European Commission (the EC) implemented the Data
Privacy Directive which prohibits the transfer of personal data to
non-EU countries that do not meet the EU's "adequacy"
standard for privacy protection. In 2000, following negotiations
between the EC and the United States and the issuance of EC
decision 2000/520, the Safe Harbor Framework came into force. It
allowed an organization to transfer personal data from the EU
member states to the US, so long as it self-certified that it
complied with the principles of the Safe Harbor Framework.
Max Schrems, an Austrian citizen, challenged Facebook's
cross-border data transfer practices before the Irish Data
Protection Authority (the DPA). He claimed that personal data
transfers from Facebook Ireland to Facebook U.S. under the Safe
Harbor Framework were not afforded "adequate protection,"
as required pursuant to the directive. He relied on the revelations
by Edward Snowdon that the US government had engaged in
mass-surveillance programs that may have included personal data of
The Irish DPA refused to investigate the claim whereby Schrems
brought an action before the Irish High Court. The court stayed the
proceedings and referred the matter to the ECJ.
The ECJ found that EC decision 2000/520 is invalid.
Specifically, the ECJ determined that the Safe Harbor Framework
flowing from EC decision 2000/520 did not allow for adequate
protection since (i) it allows US agencies to broadly access the
personal data of EU citizens transferred to the US; (ii) those EU
citizens lack legal remedies to seek access to their data or to
obtain rectification or deletion of such data; and (iii) these
deficiencies do not provide the level of protection of fundamental
rights that are equivalent to those guaranteed by the EU.
The ECJ also found that the existence of an EC decision that
ensures an adequate level of protection of the personal data
transferred to a non-EU country (such as EC decision 2000/520)
cannot eliminate or reduce the powers available to DPAs under the
Charter of Fundamental Rights of the European Union and
the directive. Accordingly, DPAs are not prevented from examining
claims of persons who contend that the law and practices of
countries to whom their personal data have been transferred (from
an EU member state) do not provide for an "adequate"
level of protection.
This decision is noteworthy for several reasons. First, given
that the decision had immediate effect, it left approximately 4,500
organizations who rely on the Safe Harbor Framework to look for
alternatives that are compliant with the EC's directive.
Second, the decision highlights the underlying policy tension
that governments face when balancing the need to protect the
personal information of its citizens versus giving law enforcement
agencies the ability to access personal data in the broader
national security context. The irony in this decision is that, even
in EU Member States, laws exist for government scrutiny of personal
data without the data subject's consent (e.g., the UK's
1994 Intelligence Services Act allows UK secret services
to conduct surveillances similar to those by the NSA that were the
basis for Mr. Schrem's complaint). Therefore, by this decision,
non-EU countries are effectively being held to a higher
Third, we note that Canada is one of the 11 countries recognized
by the EC as having "adequate protection" mechanisms for
protecting personal data. As the US and EC explore the possibility
of implementing an amended Safe Harbor Framework that can withstand
legal scrutiny, Canada may be an attractive alternative for
companies that need to transfer personal data of EC residents to
North America, at least until a there is a successful complaint
challenging Canada's status as affording an adequate level of
We will be monitoring the developments flowing from this
decision and will advise on any significant developments as they
The contribution of Noah Leszcz, articling student,
in the preparation of this article are gratefully
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).