End of the Safe Harbour programme: What next?
The Court of Justice has issued a judgment invalidating the European Commission’s Safe Harbour decision. This means that participation in the Safe Harbour programme by US entities is no longer grounds for European companies to transfer personal data of EEA citizens to the United States.
On 6 October 2015, the Court of Justice of the European Union held that the European Commission’s decision approving the Safe Harbour programme is invalid (Schrems v Data Protection Commissioner, Case C-362/14). Previously it was possible to transfer personal data from the European Economic Area to US entities that had joined the Safe Harbour programme without obtaining the consent of the national supervisory authority—in Poland, the Inspector General for Personal Data Protection (GIODO). Relying on the Commission’s decision, GIODO regarded American entities certified in the Safe Harbour programme as ensuring an adequate level of protection of personal data for purposes of the EU’s Data Protection Directive (95/46/EC). The invalidation of the Safe Harbour decision removes the legal ground for transfer of personal data to the United States relied on by data protection authorities across Europe and thousands of European companies.
The challenge to the adequacy of data protection under the Safe Harbour programme was asserted by Maximillian Schrems, an Austrian citizen who disputed the legality of the transfer of his personal data on Facebook by Facebook Ireland to servers in the United States. Schrems asked Ireland’s Data Protection Commissioner to prohibit this practice by Facebook, but the agency refused to consider the request, relying on the European Commission’s Safe Harbour decision. The case reached the High Court of Ireland, which sought a preliminary ruling from the Court of Justice of the European Union.
The CJEU ruled that national supervisory authorities are required to examine, in complete independence, whether the transfer of personal data to a third country is consistent with the Data Protection Directive. The existence of a decision by the European Commission in this respect cannot exclude or even limit the powers of the national data protection authorities under the directive and the Charter of Fundamental Rights.
The CJEU also stressed its own exclusive jurisdiction to invalidate a decision of the European Commission. The court found that the Safe Harbour decision was invalid because the Commission failed to examine whether the United States in fact ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter. In support of this position, communications from the Commission were cited showing that US authorities had access to personal data of EU citizens and processed the data beyond what was necessary for the protection of national security.
The court pointed out that the Safe Harbour programme applies only to businesses operating in the United States, but it does not apply to US public authorities. And US regulations in such areas as national security and the public interest prevail over the rules of the Safe Harbour programme. This allows US authorities nearly unlimited interference in the personal data of EEA citizens, which should be regarded as a violation of the individual’s right to privacy. Similarly, laws which do not provide any recourse for individuals to access the data concerning them or to rectify or erase their data also violate the fundamental rights of the individual.
Consequently, the Irish Data Protection Commissioner was required to give due consideration to the complaint by Schrems and decide whether the transfer of personal data of European users of Facebook to the United States should be suspended because of the failure to ensure an adequate level of protection of personal data.
The judgment by the CJEU is groundbreaking. On the national front, it may give a green light to local data protection authorities to commence inspections of entities that have been transferring personal data from the EEA to participants in the Safe Harbour programme, to verify that they actually ensure an adequate level of protection for the data transferred to the United States.
While awaiting the official position of GIODO in Poland, alternatives to the Safe Harbour system, particularly standard contractual clauses approved by the European Commission or binding corporate rules may be considered.
Based on CJEU Press Release No. 117/15 of 6 October 2015
Katarzyna Żukowska, Agnieszka Szydlik, Personal Data Protection Practice, Wardyński & Partners