The Court of Justice of the European Union (CJEC) has in its judgement of 6 October 2015 (C-362/14) given a groundbreaking ruling. In its ruling, for the time being, the Court blocks the transfer of personal data to US undertakings which have accepted the so-called ‘Safe Harbor principles’. Many online services are currently using this.

‘Safe Harbor Decision’ of EU Commission Declared Invalid
The Court declares the ‘Safe Harbor decision’ of the EU Commission (2000/520) invalid. The background to this decision is as follows. According to EU privacy rules, the transfer of personal data of EU citizens to countries outside the EU is not permitted unless that country has sufficiently guaranteed that an adequate level of protection for these personal data is offered. The Decision 2000/520 of the EU Commission states that in case of transfer of personal data to US companies which have accepted the ‘Safe Harbor principles’, there is an adequate protection level for such data in the view of the EU Commission.
By declaring the decision invalid, it therefore applies that transfer to US undertakings is not permitted unless the protection of privacy is sufficiently guaranteed in another way.

Complaint against Transfer by Facebook Ireland to Facebook USA
This ruling is given in the following case. Maximilian Scherms, an Austrian, filed a complaint with the Irish Data Protection Commissioner about the transfer of personal information placed by him on his Facebook account to the servers of Facebook in the US by Facebook Ireland.

The complaint is based on the revelations by Snowden relating to the requisitioning from US companies and the subsequent unbridled searching of personal information of EU citizens by the American National Security Agency (NSA). According to Scherms, this shows that if this information is passed on to a US company, the protection of his information is insufficiently safeguarded in accordance with EU standards.

The Irish Data Protection Commissioner rejects the complaint with reference to the ‘Safe Harbor decision’ of the EU Commission and to the fact that Facebook has accepted the ‘Safe Harbor principles’.

Scherms appeals against this ruling with the Irish High Court. This court subsequently files a request for a preliminary ruling from the CJEC, in particular to what extent the ‘Safe Harbor decision’ limits the powers of the national privacy supervisory authorities to investigate whether a third country (the US) offers an adequate level of protection for the personal information of EU citizens transferred to it.

How Did the Court Come to the Invalidation?
In its answer, the Court takes into consideration an assessment of the validity of the ‘Safe Harbor decision’ of the EU Commission. After all, as long as the decision has not been declared invalid, the supervisory authorities (the National Data Protection Commissioners) are bound to it. The invalidation and the underlying reasons result in the groundbreaking character of the ruling.

As already stated, EU privacy law includes the requirement that on the transfer of personal data to a country outside the EU, that third country must have an ‘an adequate level of protection’ for such data. If this is lacking, transfer to that country is not permitted.

The Court first considers that the term ‘adequate level of protection’ of EU privacy law must be understood ‘as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46, read in the light of the Charter’.

The Court emphasises that it must therefore relate to a level of protection which is offered by the national legal system of that third country to which the personal data are being transferred. Both the legislation and the practice of the observance of the rule of law in that country must be considered. According to the Court, this must be assessed not as an one off, but periodically.

Subsequently, the Court determines that the ‘Safe Harbor principles’ on the basis of a system of self-regulation only apply to US undertakings which accept these principles, and not for the government bodies of the US.

The Court observes that the EU Commission when determining the ‘Safe Harbor decision’ did not investigate whether the national legislation and the practice of observance of this in the US provide guarantees for an adequate level of protection. In addition, the decision states that the ‘Safe Harbor principles’ must make way for obligations of the US undertakings on the basis of legislation of the US if there were to be contradictions between them. This, according to the Court, makes it possible that on the basis of legislation in the US or requirements of national security or general interest, the fundamental rights of EU citizens in respect of privacy are breached in relation to their personal data that have been transferred to US undertakings.

That this also does not appear to be the case is shown by the comments of the EU Commission where it found ‘that the United States authorities were able to access the personal data transferred from the Member States to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Also, the Commission noted that the data subjects had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased’.

This situation in the US affects the essence of the fundamental right to privacy for EU citizens whose data have been transferred to a US undertaking. Consequently, the Court comes to the conclusion that the decision of the Commission conflicts with this and therefore has to be declared invalid.

Powers of the National Supervisory Authorities
In respect of the powers of the supervisory authorities, the Court considers as follows. In the ‘Safe Harbor’ decision of the Commission it is stated that the national supervisory authorities of the EU Member States are not permitted to test whether it actually satisfies EU privacy law and take any measures to, as yet, force compliance. This must be seen as an limitation of powers of these authorities. However, the Commission does not have the authority to limit the powers of the supervisory authorities, so says the Court. This is also a reason to declare the decision of the Commission invalid.

What Happens Next?
The Irish Data Protection Commissioner shall as yet have to investigate whether the transfer of personal data of EU Facebook members to the US offers sufficient safeguards for an adequate level of protection of the personal data there. If the Data Protection Commissioner concludes on the basis of such investigation that this is not the case, it will have to suspend the transfer of such data. In view of the analysis of the situation in America by the Court, it is anticipated that this suspension will become reality.

There is still much to say about the meaning and the consequences of this ruling. For example one could discuss whether the alternative of concluding a standard contract (provided by the EC) with the US company will address this issues sufficiently. Such contract will not change the existing US legislation and practice of observance of this in the US.

By Jaap Kronenberg