In its judgment of 6 October 2015 (C-362/14), the Court of Justice of the
European Union ("CJEU") held that
transfers of personal data of European citizens to the United
States made under the so-called Safe Harbor scheme are subject to
significant risks, and declared the corresponding decision of the
European Commission to be invalid. As a consequence, EU entities of
U.S. companies so far relying on Safe Harbor will need to revise
their practice of submitting personal data to the U.S. to comply
with EU data protection law.
The background to this CJEU ruling was a complaint lodged by
European Facebook user Maximilian Schrems with the Irish
data protection authority. Facebook Ireland, the company's
European headquarters, transfers the data of its subscribers to the
servers of its parental company in the U.S. Schrems argued
that the law and practices of the United States offered no real
protection against U.S. surveillance of his data. The Irish
authority rejected the complaint relying on the "Safe
Harbor" decision of the European Commission of 26 July 2000
(Decision 2000/520/EC). Safe Harbor is a U.S.
government framework containing a set of principles on the
treatment of sensitive personal data of EU citizens. According to
the Commission's decision, it is assumed that an adequate level
of data protection is guaranteed where U.S. companies agree to
comply with these principles. In the Irish data protection
authority's opinion, national data protection authorities
should thus be prevented from launching investigations into data
transfers covered by the Safe Harbor scheme. The case was brought
before the High Court of Ireland, which further referred it to the
The key elements of the CJEU ruling are as follows:
Primarily, the CJEU held that a
Commission decision finding that a third country ensured an
adequate level of data protection could not reduce the national
supervisory authorities' investigative and banning powers
granted by EU law. The Member States had to be able to take the
measures necessary to safeguard the fundamental right to the
protection of personal data under the Charter of Fundamental Rights
of the EU.
Furthermore, the CJEU explicitly
declared the Commission's decision 2000/520/EC to be invalid.
In the eyes of the CJEU, the Commission's decision did not
satisfy the requirements of EU data protection law. This finding
is, inter alia, based on the fact that the Safe Harbor
scheme was not applicable to U.S. public authorities. Thus,
legislation permitting U.S. public authorities to have access to
the content of electronic communications on a generalized basis
would have to be regarded as compromising fundamental rights.
Whether one agrees with the CJEU's findings or not, this
judgment will have substantial impact on international
companies' practice of processing personal data. Data transfers
to the U.S. are now associated with high legal uncertainty.
Additionally, the ruling is likely to affect not only data
transfers to the U.S., but also to other countries which the
Commission has previously considered to have adequate data
protection regimes. Some of the Safe Harbor scheme's
shortcomings addressed in the CJEU ruling might be mitigated by the
so-called "Umbrella Agreement" the U.S. and the EU have
been negotiating. However, the extent to which the CJEU ruling will
have an impact on the negotiations remains as of yet unclear.
Originally published October 8, 2015
Mayer Brown is a global legal services provider
comprising legal practices that are separate entities (the
"Mayer Brown Practices"). The Mayer Brown Practices are:
Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both
limited liability partnerships established in Illinois USA; Mayer
Brown International LLP, a limited liability partnership
incorporated in England and Wales (authorized and regulated by the
Solicitors Regulation Authority and registered in England and Wales
number OC 303359); Mayer Brown, a SELAS established in France;
Mayer Brown JSM, a Hong Kong partnership and its associated
entities in Asia; and Tauil & Chequer Advogados, a Brazilian
law partnership with which Mayer Brown is associated. "Mayer
Brown" and the Mayer Brown logo are the trademarks of the
Mayer Brown Practices in their respective
This Mayer Brown article provides information and comments
on legal issues and developments of interest. The foregoing is not
a comprehensive treatment of the subject matter covered and is not
intended to provide legal advice. Readers should seek specific
legal advice before taking any action with respect to the matters
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In this article Filippo Noseda examines the impact of the Common Reporting Standards (CRS), based on practical examples of data transfer and data breaches and analysed in the light of general tax law principles.
Four years after the overhaul of European data protection laws began, the final text of the new General Data Protection Regulation (GDPR) was approved in Spring 2016 and the new rules will come into effect on 25 May 2018.
This update is dedicated to covering the latest legislative developments affecting the way data is managed and protected, as well as reporting on the most recent news governing data breaches and industry developments.
The market of the so-called "connected vehicles" has been considerably growing since 2015. According to a recent study by AlixPartners, 78 million of connected vehicles will be commercialized in 2018, generating a EUR40 billion turnover.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).