EU Court Rejects 'Safe Harbor' Agreement Permitting Customer Data Transfers To U.S.

Author:Sheppard Mullin Richter Hampton LLP
Profession:Sheppard Mullin Richter & Hampton

The European Court of Justice (ECJ) has struck down the 15-year-old "Safe Harbor" agreement that permitted companies operating in Europe to transmit personal user data to the United States, as long as the U.S. ensures an adequate level of data protection at the company and certifies that it will abide by seven EU data privacy principles regarding notice, choice, onward transfer, security, data integrity, access, and enforcement. The case, entitled Maximillian Schrems v. Data Protection Commissioner, was decided on October 6, 2015 and has an immediate effect on European courts. See here.

According to the ECJ, the trans-Atlantic data-sharing pact, which had been enforced by the Federal Trade Commission in the U.S., does not provide adequate protection for Europeans' private data under EU law in light of the revelations by former American intelligence contractor Edward Snowden concerning the U.S. government's mass data collection and "PRISM" surveillance program. More than 4,000 companies, including Apple and Amazon, had relied on the "Safe Harbor" agreement.

The ECJ cited two key reasons for invalidating the July 2000 European Commission decision 2000/520/EC, which legally permitted data to be transferred to U.S. companies in accordance with the Safe Harbor provisions:

First, the ECJ opinion stated, the Safe Harbor framework made it too difficult for national privacy officials in the European Economic Area to intervene and ensure the security of Europeans' private data, undermining member states' independence. "In particular, legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life," the ECJ decision noted; and Second, the ECJ found that Commission Decision 2000/520/EC of July 26, 2000 as to the adequacy of the Safe Harbor is invalid and that the Safe Harbor framework did not ensure the data was adequately protected under Safe Harbor principles because private data was shared with outside governmental agencies for security purposes. The ECJ noted that the Commission admitted that data was transferred to agencies unnecessarily in some cases. The ECJ also ruled that the framework failed to provide an individual the right to "pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data" and that this was...

To continue reading