Safe Harbour

October 11, 2015 by

The Court of Justice of the European Union (ECJ)) issued the final ruling in Schrems v. Data Protection Commissioner on 6 October 2015. The Court invalidated the safe harbour arrangement, which governs data transfers between the EU and the US. Within a timeframe of 18 months, the European Court of Justice issued three judgments with great significance for data protection, fundamental rights, and the digital economy.

Trio of data protection decisions

European Court of Justice - Safe Harbour

European Court of Justice

First, the judges in Luxembourg struck down the European Data Retention Directive because it interfered with the fundamental rights with respect for private life and the protection of personal data. The court also held that in issuing the Data Retention Directive, the EU legislature has exceeded the limits of proportionality (C-293/12 und C-594/12 Digital Rights Ireland und Seitlinger).

Second, the European Court of Justice recognised that individuals have a right to suppress links generated by Internet search under the EU Data Protection Directive (often referred to as the ‘right to be forgotten’) C-131/12 Google Spain v. AEPD and Mario Costeja Gonzalez.

Third, Europe’s highest court struck down a transatlantic agreement (safe harbour decision) that for some 15 years enabled companies to transfer digital personal data from Europe to the United States. Europe’s highest court held that the U.S. can not be considered a safe destination for transfers of personal data because of its massive and indiscriminate surveillance, which is inherently disproportionate and interferes with the fundamental rights to respect private life and to the protection of personal data. Additionally, safe harbour lacks an effective means of enforcement and redress for privacy violations (see C-362/14 Maximillian Schrems v Data Protection Commissioner).

Alternatives to safe harbour

Regarding the practical consequences of the Schrems judgment, data transfers from the European Union to the United States can no longer be based on the safe harbour decision and any export of data to the US would be unlawful. U.S. companies will have to find alternative means to legitimise the transatlantic data transfer. Since, the flaws in the system are fundamental and structural, i.e. indiscriminate mass surveillance will never be considered to be proportionate under European law, no real legal solution is in sight. Either the American intelligence gathering system has to change or a new Safe Harbour Agreement needs to be put in place that addresses the court’s concerns.

In light of the argumentation of the court, it is doubtful whether any of the other instruments, such as model contracts or binding corporate rules, would overcome the problem. The use of such model contracts or binding corporate rules will most certainly not stop national data protection authorities from investigating a particular cases, for instance on the basis of complaints, or to exercise their powers in order to protect individuals.

Independent of what the European Commission says, EU member states and their data protection authorities are free to examine independently whether data protection levels in third countries are appropriate. In other words the EU member states are not bound by the finding of the European Commission with regards to the adequacy of data protection in third countries.