CJEU declares the European Commission’s US Safe Harbour Decision invalid
On 6 October 2015 the CJEU rendered a judgement by which it declared that the European Commission’s US Safe Harbour Decision is invalid, as a result of which transfer of personal data to the US companies adhering to the Safe Harbour principles shall no longera prioribe considered in compliance with the EU Directive 95/46/EC.
The CJEU was asked to rule on a matter of law in a case relating to Facebook's transfer of EU citizens' personal data to the US. Austrian law student Max Schrems filed a complaint against Facebook Ireland for violation of data protection laws, arguing that personal data, which are automatically transmitted by Facebook to the US under the Safe Harbour scheme are not adequately protected. Schrems referred to Edward Snowden's 2013 revelation that US intelligence services were able to access foreigners' personal information in the databases of companies such as Facebook.
The question the Court was asked was: Is a national data protection authority bound by the European Commission's US Safe Harbour Decision, that the Safe Harbour principles provide adequate privacy protection to personal data exported to the US, or may it investigate complaints about the level of protection provided in the light of events since that decision.
Under the EU privacy law, the transfer of personal data to a country outside the EU can in general only take place if the destination country ensures an "adequate" level of data protection. The Commission’s US Safe Harbour Decision allowed EU companies to transfer European users’ personal data to US companies, which voluntarily adhere to the Safe Harbour principles. Such US companies would under the Safe Harbour, self-certify their compliance with the European privacy principles, and all companies that appeared as certified on the list maintained by the US government were to be treated as if they were European companies as regards data protection laws.
The CJEU established that the Commission’s US Safe Harbour Decision is invalid due to the fact that the Commission failed to ascertain whether the US in fact ensures a sufficient level of protection of fundamental rights equivalent to that guaranteed by the EU Directive 95/46/EC and the European Convention. Finally, the CJEU concluded that the national data protection authorities are not bound by the European Commission's US Safe Harbour Decision, as a result of which they are entitled to examine a claim of a person contending that law and practices in force in a third country where his/her personal data have been transferred, do not ensure an adequate level of protection.
The key implications of the CJEU judgement are that individual European countries can now set their own regulations for US companies' handling of citizens' personal data. As a result of this, countries can choose to suspend transfer of data to the US – forcing EU companies to host users’ personal data exclusively within an EU host data country.
Croatian companies shall either be obliged to refer to the Croatian Data Protection Agency for assessment on a case-by-case basis whether or not the data recipient in the US provides an adequate level of protection of the personal data, or shall have to obtain from data subjects a prior explicit consent for transfer of their data to the US. Another alternative is to implement a set of model contractual clauses, which would also have to be approved by the Croatian Data Protection Agency.