Court of Justice of the European Union rules Safe Harbour Scheme invalid
The “Safe Harbour” scheme was designed to allow personal data be transferred from EU undertakings to US undertakings in line with the EU Data Protection Directive and was approved by EU Commission decision, 2000/520/EC. In order to avail of the voluntary scheme, a US undertaking could self-certify that it subscribed to a series of privacy principles (outlined in the Commission decision) that ensured an adequate level of protection of personal data was afforded to EU Citizens personal details when transferring the data to a US undertaking. On 6 October 2015, the Court of Justice of the European Union (CJEU) in the case of Maximillian Schrems v Data Protection Commissioner held that the Safe Harbour scheme is invalid. This decision will have implications for companies transferring personal data outside the EU to US undertakings.
Maximillian Schrems v Data Protection Commissioner
Following the Edward Snowden revelations regarding the surveillance activities of the US intelligence services in 2013, Mr. Schrems (in relation to his Facebook account details) made a complaint to the Data Protection Commissioner, Ireland’s national supervisory authority, for the purposes of the Directive. Mr. Schrems complaint was that, in light of Mr. Snowden’s revelations, the US does not provide an adequate level of protection of the personal data transferred. The Data Protection Commissioner rejected the complaint on the basis that the European Commission decision provides that the Safe Harbour scheme affords an adequate level of protection. Mr. Schrems brought an application to judicially review the rejection of the complaint to the Irish High Court, who referred a question to the ECJ; namely, is a national supervisory authority prevented from investigating a complaint relating to a third country’s level of protection of personal data transferred, where it has already been approved by the EU Commission?
The CJEU held that a national supervisory authority may investigate a complaint and that the EU Commission decision was not entitled to restrict a national supervisory authorities’ power to do so. Significantly, it found that the Safe Harbour scheme was invalid. In its decision the Court noted that US undertakings that subscribe to the scheme are bound to disregard the principles of the scheme where they may conflict with US national security, public interest and law enforcement without limitation and this is a compromise of the fundamental right to respect for private life. The CJEU also noted the lack of legislation providing an individual with a legal remedy if the principles were breached and found this to be a compromise of the right to effective judicial protection.
Implications of this decision
This decision will make it difficult for US companies who have their headquarters in the EU, but a large operating base out of the US, and for EU companies that use providers in the US. Where a company has relied exclusively on the Safe Harbour scheme for transfer of personal data to a US undertaking, it should immediately review its data protection policy and seek to avail of an alternative method of transferring personal data to the US. Potential options are:
- Obtaining express and informed consent from each individual to the transfer of their personal data;
- Apply EU Model Clauses; or
- Binding Corporate Rules.
The European Commission and the US are in advanced discussions regarding new data protection rules and it is hoped that these will be put in place towards the end of 2015.