CJEU Declares ‘Safe Harbour’ Invalid
On 6 October 2015, the CJEU delivered its judgement on the case ‘Schrems vs Facebook’, ruling that personal data of European internet users are not adequately protected against access by authorities in the US. The agreement which established simplified procedures for transmitting and transferring data to the US (‘Safe Harbour’) was thus declared invalid.
In 2013, the Austrian law student Max Schrems filed a complaint against Facebook Ireland for violation of data protection laws, arguing that Facebook automatically transmitted all data to the US under the Safe Harbour scheme.
In the view of Max Schrems, it is against EU law to transmit data to the US without having national authorities in Europe verify whether Facebook complies with European standards of data protection in the US.
The High Court of Ireland had already considered this issue to be a decisive factor in the interpretation of European Union law in late September 2014 and thus referred the case to the CJEU for a preliminary ruling. The CJEU conducted proceedings in that regard under case number C-362/14.
When making its decision, the CJEU considered whether the Safe Harbour scheme was in line with EU legislation. The Safe Harbour scheme is based on an agreement drawn up between the EU and the US which provides for self-certification by the adhering US companies. All companies that appeared as certified on the list maintained by the US government were to be treated as if they were European companies as regards data protection law. Until now, this certification used to be a guarantee that the relevant company complied with European standards of data protection.
On 6 October 2015, the CJEU ruled that the Safe Harbour agreement between the US and the EU was invalid, as US companies were unable to provide an adequate level of protection of personal data. After the revelations made by Edward Snowden, US companies are no longer considered to be a ‘safe harbour’ for European users’ data.
The ruling has far-reaching implications for companies in the US and Europe, as it is no longer possible to transmit or transfer data to the US or to clouds hosted by US companies under the Safe Harbour scheme. US providers now have to come up with a plan B if they want to continue working with companies in Europe.
The decision is also likely to have a major impact on the European cloud sector. Austrian companies would, for the time being, either have to ask individuals for permission to transfer their data to the US, or the Austrian data protection authority would have to assess in an elaborate procedure on a case-by-case basis e.g. whether or not the data recipient in the US is subject to the PRISM surveillance programme. Another alternative would be to implement so-called standard contractual clauses, although these also stem from a decision by the EU Commission and might be struck down as well in light of the latest ruling.
How the national data protection authorities will deal with this ruling remains to be seen. They will most likely issue an announcement or recommendation to the affected companies in the near future, providing details on how to handle the now unlawful transfer of data to the US.