The European Court of Justice declared on Oct. 6 that the EU Commission’s U.S. Safe Harbor scheme is invalid. Large-scale information gathering programs in the U.S. surfaced by Edward Snowden gave rise to the Court’s concerns whether the requirements of EU law are observed when personal data is transferred to “undertakings” in the U.S. The Court found data transfers to the U.S. do not meet the rigors of the EU’s Data Protection Directive 95/46/EC (OJ 1995 L 281, p. 31) [Privacy Directive].

The Privacy Directive states that transferring personal data to a third country may ensue if the third country ensures an adequate level of data privacy protection. Under the European Union Commission Decision 2000/520/EC on July 26, 2000 (Safe Harbor Decision), the Commission found “the adequacy of the protection provided by safe harbor privacy principles provides a legal basis to transfer personal data from the EU to undertakings in the U.S. that adhere to safe harbor principles.” The “safe harbor” scheme includes principles concerning protecting personal data that U.S. undertakings, or entities, may voluntarily subscribe.

Maximillian Schrems, an Austrian citizen living in Ireland and a Facebook user since 2008, complained to the national advisory authority, the Irish Data Protection Commissioner, that data saved to Facebook’s Irish subsidiary was transferred to servers in the U.S. Schrems contested because of the revelations made in 2013 by Edward Snowden that the law and practice in the U.S. do not offer adequate protection to transferred data against surveillance by public authorities.

The Irish Data Protection Commissioner rejected Schrems’ complaint based on the Safe Harbor Decision. Schrems appealed to the High Court of Ireland, which posed the question to the Court of Justice: Whether the Safe Harbor Decision prevents a national advisory authority from “investigating a complaint alleging that a third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data?”

Short answer: No. The Commission’s decision finding a third-party country ensures an adequate level of protection of the personal data transferred “cannot eliminate or even reduce the powers available to the national supervisory authorities.”

The Court of Justice stated that no provision of the Privacy Directive or Commission decision prevents oversight by national supervisory authorities of transfers of personal data to third countries. National advisory authorities can independently examine whether a transfer of a person’s data to a third country complies with the requirements laid down by the directive.

The Court of Justice reaffirmed its sole authority to declare an EU act or decision invalid and declared the Safe Harbor Decision so: Invalid. The Court found that the U.S. safe harbor scheme applied to “undertakings,” such as Facebook’s data transfer, but not to U.S. public authorities. The Court found that legislation permitting public authorities “access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.” [See FISMA Amendment Act 2008.]

The Court directed the Irish Data Protection Commissioner to examine de novo Schrems’ complaint to decide whether transferring data from Facebook’s European subscribers to the U.S. should be suspended on grounds that the U.S. does not afford an adequate level of protection of personal data under the Privacy Directive.

May the luck be with you, Facebook.

SOURCES

Court of Justice of the European Union, Press Release No 117/17.

Maximillian Schrems v. Data Protection Commissioner (C-362/14).