EU–U.S. Data Protection Safe Harbor: Not Safe Anymore

Author:Ms Elizabeth Robertson, Mauricio F. Paez, Paloma Bru and Laurent De Muyter
Profession:Jones Day

On October 6, 2015, the European Court of Justice ("ECJ") invalidated the European Union-United States data protection safe harbor (the "Safe Harbor"). In its decision in Case C-362/14 Maximilian Schrems v Data Protection Commissioner, the ECJ invalidated the Safe Harbor because it failed to provide an adequate level of protection to personal data transferred from the EU to the U.S., as required by the EU Data Protection Directive 95/46/EC. A press release summarizing the decision can be found here. The Safe Harbor was implemented by agreement between the U.S. government and the EU Commission in 2000, and since then more than 4,000 U.S. companies have signed up to the Safe Harbor in order to receive electronic data from the European Union. As a result of this decision by the ECJ, international data transfers cannot continue to be made by customers and businesses in the EU to U.S. companies on the basis of the Safe Harbor. Following the Advocate General's view in his September 23, 2015 opinion, the ECJ furthermore made clear that the data protection authorities in Member States must be able to examine whether a data transfer to a third country is in compliance with the requirements of the EU Data Protection Directive, even if a Commission decision (like in case of Safe Harbor) has been adopted. However, only the ECJ itself shall have jurisdiction to declare the Commission decision in question invalid. In finding that Member State data protection authorities have such powers, the ECJ may have opened up a new era of intervention by Member State data protection authorities with respect to other Commission decisions, including the EU Standard Contractual Clauses. However, uniform application of the law seems to remain ensured by the fact that only the ECJ shall have the ultimate decision regarding the validity of the challenged Commission decision. The Schrems case arose from a challenge by Austrian law student Maximilian Schrems to the determination by the Irish Data Protection Commissioner that the existence of the Safe Harbor precluded the Irish agency from stopping Facebook's data transfers from Ireland to the U.S., even though Facebook was allegedly providing information to the U.S. intelligence services in violation of EU data protection laws. Following the opinion of the Advocate General, the ECJ concluded that the Safe Harbor did not offer the requisite protections and that the Safe Harbor arrangements should therefore be ended. As...

To continue reading