European Court of Justice Issues Opinion Striking Down The Safe Harbor

Author:Prof. Dr. Hans-Georg Kamann, Dr. Martin Braun, Frédéric Louis, Christian Schwedler and D. Reed Freeman,Jr.

In a landmark judgment in Schrems v Data Protection Commissioner (C-362/14) (October 6, 2015) ("Safe Harbor judgment"), the European Court of Justice ("ECJ") found the Safe Harbor Decision of the European Commission (Commission Decision 2000/520/EC of 26 July 2000) to be invalid. The invalidity of the Safe Harbor Decision calls into question the legality of large portions of data flows from Europe to the United States and causes considerable legal uncertainty for US companies offering their services in the EU.

Legal Background 

Under Art. 25 (1) of the EU Data Protection Directive 95/46/EC ("Directive 95/46"), the central legislation to govern the processing of personal data of European users, personal data of European citizens may be transferred to a non-EU country only if the country in question ensures an adequate level of protection of the data transferred. In its Safe Harbor Decision, the European Commission had decided that the "Safe Harbor Privacy Principles" as provided for by the United States Department of Commerce and its guidance documents (e.g., the FAQs) and procedures ensure an adequate level of protection for personal data transferred from the EU to organizations established in the US provided that these organizations: (1) have unambiguously and publicly disclosed their commitment to comply with the Safe Harbor Principles; and (2) are subject to the statutory powers of a government body in the United States that is empowered to investigate complaints and to obtain relief against unfair or deceptive practices as well as redress for individuals.   Such decisions of the European Commission are generally binding for the EU Member States and their authorities. Hence, based on the Safe Harbor Decision, the transfer of personal data of EU citizens to Safe Harbor-certified organizations in the US, which have been treated by virtue of the Safe Harbor Decision as if they were seated in a safe country in the meaning of Art. 25 (1) Directive 95/46, was considered legal. Large portions of the currently existing data transfers from the EU to the US rely for their legitimacy on the Safe Harbor Decision.

The Safe Harbor Judgment of the ECJ

The case before the ECJ was referred by the High Court of Ireland in a case brought by Max Schrems, an Austrian data protection activist, against the Irish Data Protection Commissioner ("IDPC"). Mr. Schrems had asked the IDPC to exercise his powers to prohibit Facebook from transferring his personal data...

To continue reading