Keywords: CJEU, European Commission, Safe Harbor
In its judgment of 6 October 2015 (C-362/14), the Court of Justice of the European Union ("CJEU") held that transfers of personal data of European citizens to the United States made under the so-called Safe Harbor scheme are subject to significant risks, and declared the corresponding decision of the European Commission to be invalid. As a consequence, EU entities of U.S. companies so far relying on Safe Harbor will need to revise their practice of submitting personal data to the U.S. to comply with EU data protection law.
The background to this CJEU ruling was a complaint lodged by European Facebook user Maximilian Schrems with the Irish data protection authority. Facebook Ireland, the company's European headquarters, transfers the data of its subscribers to the servers of its parental company in the U.S. Schrems argued that the law and practices of the United States offered no real protection against U.S. surveillance of his data. The Irish authority rejected the complaint relying on the "Safe Harbor" decision of the European Commission of 26 July 2000 (Decision 2000/520/EC). Safe Harbor is a U.S. government framework containing a set of principles on the treatment of sensitive personal data of EU citizens. According to the Commission's decision, it is assumed that an adequate level of data protection is guaranteed where U.S. companies agree to comply with these principles. In the Irish data protection authority's opinion, national data protection authorities should thus be prevented from launching investigations into data transfers covered by the Safe Harbor scheme. The case was brought before the High Court of Ireland, which further referred it to the CJEU.
The key elements of the CJEU ruling are as follows:
- Primarily, the CJEU held that a Commission decision finding that a third country ensured an adequate level of data protection could not reduce the national supervisory authorities' investigative and banning powers granted by EU law. The Member States had to be able to take the measures necessary to safeguard the fundamental right to the protection of personal data under the Charter of Fundamental Rights of the EU.
- Furthermore, the CJEU explicitly declared the Commission's decision 2000/520/EC to be invalid. In the eyes of the CJEU, the Commission's decision did not satisfy the requirements of EU data protection law. This finding is, inter alia, based on the fact that the Safe Harbor scheme was not applicable to U.S. public authorities. Thus, legislation permitting U.S. public authorities to have access to the content of electronic communications on a generalized basis would have to be regarded as compromising fundamental rights.
Whether one agrees with the CJEU's findings or not, this judgment will have substantial impact on international companies' practice of processing personal data. Data transfers to the U.S. are now associated with high legal uncertainty. Additionally, the ruling is likely to affect not only data transfers to the U.S., but also to other countries which the Commission has previously considered to have adequate data protection regimes. Some of the Safe Harbor scheme's shortcomings addressed in the CJEU ruling might be mitigated by the so-called "Umbrella Agreement" the U.S. and the EU have been negotiating. However, the extent to which the CJEU ruling will have an impact on the negotiations remains as of yet unclear.
Originally published October 8, 2015
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2015. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.