The European Court of Justice has today ruled that the European Commission's US Safe Harbor Decision, which lets American companies use a single standard for consumer privacy and data storage in both the US and Europe, is invalid.
Background
Austrian privacy advocate, and Facebook user, Max Schrems brought an action against Facebook in Ireland in relation to the transfer of personal data to the USA and the interference that this has with his fundamental right to private life. As with other Facebook subscribers' resident in the EU, some or all of the data provided by Mr Schrems is transferred from Facebook's Irish subsidiary to servers located in the United States. Mr Schrems complaint stems from the revelations of Edward Snowden in 2013 concerning the activities of the National Security Agency (NSA) and that the law and practice in the United States do not offer sufficient protection against surveillance by public authorities of the data transferred to that country. Mr Schrems complaint was rejected by the Data Protection Commissioner in Ireland as it was covered by the Safe Harbor provisions. Mr Schrems subsequently contested this decision and it was referred to the European Court of Justice.
Legal Rules
The Data Protection Directive (Directive 95/46/EC) provides that the transfer of personal data to a third country may only take place if that third country ensures an adequate level of protection of the data. The directive also provides that the European Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or international commitments. The European Commission made such a decision in relation to the United States of America in 2000 (2000/520/EC). This is referred to as the Safe Harbor decision and has been used by around 5,000 American companies since its inception.
Decision
In today's judgment the Court of Justice found that even where the European Commission has adopted a decision finding that a third country ensures an adequate level of protection of the personal data transferred, this cannot eliminate or reduce the powers available to the national supervisory authorities under the Charter of Fundamental rights and the directive. Authorities such as the Information Commissioner in the UK or the Data Protection Commissioner in Ireland, will now be able to examine whether the transfer of a person's data to the United States complies with the requirements laid down in the directive.
The Court found that as the Commission decision only relates to American undertakings that adhere to it, and US public authorities are free to ignore the protective measures found in it, the Safe Harbor Decision allows for interference with the fundamental rights of EU citizens by US public authorities.
Furthermore the unlimited storage and transfer of all personal data of persons without any differentiation and without clear objectives and limitations relating to public authority access was found to further infringe on the fundamental right to privacy.
As a result, the CJEU has found the Safe Harbor Decision to be invalid, due to the breaches of the fundamental right to privacy and the capacity of American public authorities to gain access to the personal data of Europeans without their consent.
Consequences
Companies such as Facebook and Twitter that store personal data will now face scrutiny from individual European countries data regulators and could be forced to host European user data in Europe, rather than hosting it in the US and transferring it over. All businesses which hitherto have relied on cloud computing arrangements or utilise the safe harbor regime to transfer employee or customer data to parent companies should be reviewing as a matter of urgency how they can now become compliant with EU Data Protection law.
MacRoberts has expertise in and advises on a wide range of data protection law, particularly the obligations on organisations in relation to personal data and security measures. For more information, please contact a member of our Intellectual Property, Technology and Commercial Team.
Disclaimer
The material contained in this article is of the nature of general comment only and does not give advice on any particular matter. Recipients should not act on the basis of the information in this e-update without taking appropriate professional advice upon their own particular circumstances.
