The Court of Justice of the European Union (CJEU) has ruled that the European Commission decision establishing the ‘Safe Harbor’ framework is invalid as it does not sufficiently protect the fundamental rights of EU citizens.
The unusually expedited ruling of the CJEU follows the publication of the opinion of Advocate General Bot less than two weeks ago (see here).
The EU Data Protection Directive provides that the transfer of personal data to a third country may only take place if the third country ensures an adequate level of protection. The Directive also provides that the European Commission may decide whether a third country ensures the requisite level of protection. The Commission decided in 2000 that the level of protection afforded to individuals in the US is adequate provided the organisation receiving the data complies with the Safe Harbor framework.
As part of the well-publicised proceedings taken by European privacy campaigner, Max Schrems, against the Irish Data Protection Commissioner (DPC), the Irish High Court sought clarification from the CJEU on whether it is bound by the Commission decision establishing the Safe Harbor framework or whether it could/must conduct its own investigation of the matter. The CJEU found that EU data protection law does not prevent oversight of transfers to third countries by EU national authorities, even where the Commission has adopted an equivalence decision. National authorities must be able to examine, with complete independence, whether the transfer of personal data to a third country complies with the requirements of EU law and fundamental rights of EU citizens.
The Commission decision provided that national security, public interest or US law have primacy over the Safe Harbor principles. The CJEU found that the Safe Harbor framework, in permitting public authorities to have general access to the content of electronic communications, compromised the essence of the fundamental rights of the persons whose data is being transferred. Further, in order to adopt a decision of equivalence, the Commission was required to find that the US in fact ensured a level of protection of fundamental rights equivalent to that under EU law but the Commission did not state in its decision that this was so. Accordingly, the CJEU declared the decision invalid.
The CJEU’s decision that the Safe Harbor framework is invalid has serious consequences for companies which rely on the framework and may have a major effect on such companies’ operations. Over 3,000 US companies are currently certified under the Safe Harbor framework, relying on it to legitimise transfers by affiliates and other companies with which they do business. Such certification can no longer be relied upon to legitimise a transfer of personal data to the US.
The Safe Harbor framework was not the only method of legitimising transfers to the US. Irish businesses currently relying on Safe Harbor must now consider alternative options including Model Contracts and Binding Corporate Rules (BCRs).
Follow us on Twitter @WFIDEA
Contributed by John Magee.