The Court of Justice of the European Union (CJEU) has held that the EU Commission's decision establishing the Safe Harbor data transfer framework is invalid because the Commission failed to determine that the protection afforded to privacy under U.S. law is adequate. The Court also held that national data protection authorities (DPAs) may oversee and suspend data transfers that they do not believe provide adequate protection.
The October 6, 2015, decision has far-reaching consequences for more than 4,500 companies relying upon the transfer of data from Europe to the United States.
Schrems v. Data Protection Commissioner challenged the transfer of personal information by Facebook from Ireland to the United States. The EU Data Protection Directive (Directive) prohibits personal data from being transferred outside the EU unless the transferee country provides an “adequate level of protection” to that data. The European Commission held that transfers of personal data from the EU to U.S. companies that are Safe Harbor-certified provide adequate protection and are therefore permissible under the Data Protection Directive.
Largely adopting the advisory decision from the Court’s Advocate General, the Court determined that U.S. laws that permit generalized access to the content of electronic communication, like the Foreign Intelligence Surveillance Act, exceed what is strictly necessary for the objective.
Further, the Court held that legislation that does not afford individuals the possibility to access, rectify, or erase personal data relating to them, or to any administrative or judicial redress with regard to collection and further processing of their data taking place under surveillance programs, as might be the case in connection with the NSA surveillance, cannot be deemed to provide adequate protection to personal data.
The Court also held the Commission’s prior ruling with regard to the Safe Harbor framework was invalid because the Commission did not find that the United States “ensures” an adequate level of protection by reason of its domestic law or its international commitments. Accordingly, the Court held that national DPAs may undertake their own analysis to determine whether a proposed data transfer adheres to the requirements of the Directive, or initiate enforcement actions where necessary.
The Court’s decision puts into question how and whether thousands of companies will transfer personal data from the EU to the United States going forward. The Court referred the case back to the Irish Data Commissioner to decide the Schrems complaint. Concurrently, it is expected that national DPAs will weigh in on this decision and decide how transfers will carried out.
Enforcement against companies that rely exclusively on Safe Harbor for data transfers is not expected in the coming days. Regardless, companies would do well to analyze their flow of information from the EU to the United States and consider alternative methods for compliance. Those methods include acquiring explicit and informed consent, adopting transfer agreements containing Model Clauses approved by EU authorities, or adopting Binding Corporate Rules.
