European Court of Justice invalidates EU- US 'Safe Harbor' pact

White & Case LLP
Contact

On 6 October 2015, the Court of Justice of the European Union ("CJEU" or "the Court") issued its judgment in case C 362/14 Maximillian Schrems v Data Protection Commissioner.

Overview

The Court ruled on two significant issues:

  • The existence of a decision by the European Commission ("the Commission") finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the Data Protection Directive[1] ("the Directive"). Thus, even if the Commission has adopted a decision, when dealing with a claim, national supervisory authorities have the power to examine with complete independence whether the transfer of a person's data to a third country complies with the requirements laid down by the Directive.
  • The Court declared Commission decision 2000/520/EC on the adequacy of the EU-US safe harbor arrangement invalid.

Background

The Directive states that personal data can only be transferred to countries outside the EU when an adequate level of protection is guaranteed, and these transfers may only take place if one of the transfer mechanisms set out in the data protection rules is used. These mechanisms include, inter alia¸ standard data protection clauses in contracts between US-EU companies exchanging data, and binding corporate rules for intra-group transfers.

In 2000, the Commission issued decision 2000/520/EC outlining a series of safe harbor principles to which US companies self-certify that they conform. This safe harbor agreement has facilitated data transfers from the EU to the US, but has now been declared invalid by the CJEU.

Next steps

Following the Court's judgment, the Commission has indicated that its three priorities are to:

  • protect personal data transferred overseas;
  • continue transatlantic data flows with adequate safeguards; and
  • work with national data protection authorities to ensure a coordinated response and uniform application of EU law in the internal market.

The Commission and the national data protection authorities are expected to issue guidance for businesses affected by the judgment shortly.

In response to the ruling, White & Case has put together a Safe Harbor Action Plan, which will be updated once such guidance becomes available.

[1] - Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281, p. 31. 

Audrey Oh, a Trainee Solicitor in the Firm's London office, assisted in the development of this article.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White & Case LLP | Attorney Advertising

Written by:

White & Case LLP
Contact
more
less

White & Case LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.