In its judgment of October 6, 2015 (Case C-362/14) the Court of Justice of the European Union (“CJEU”) held that transfers of personal data of European citizens to the United States made under the so-called Safe Harbor scheme are subject to significant risks, and declared the corresponding decision of the European Commission to be invalid. As a consequence, EU entities of U.S. companies so far relying on Safe Harbor will need to revise their practice of submitting personal data to the U.S. to comply with EU data protection law.

The background to this CJEU ruling was a complaint lodged by European Facebook user Maximilian Schrems with the Irish data protection authority. Facebook Ireland, the company’s European headquarters, transfers the data of its subscribers to the servers of its parental company in the U.S. Mr. Schrems argued that the law and practices of the United States offered no real protection against U.S. surveillance of his data. The Irish authority rejected the complaint relying on the “Safe Harbor” decision of the European Commission of July 26, 2000 (Decision 2000/520/EC). Safe Harbor is a U.S. government framework containing a set of principles on the treatment of sensitive personal data of EU citizens. According to the Commission’s decision, it is assumed that an adequate level of data protection is guaranteed where U.S. companies agree to comply with these principles. In the Irish authority’s opinion, national authorities should thus be prevented from launching investigations into data transfers covered by the Safe Harbor scheme. The case was brought before the High Court of Ireland, which further referred it to the CJEU.

The key elements of the CJEU ruling are as follows:

  • Primarily, the CJEU held that a Commission decision finding that a third country ensured an adequate level of data protection could not reduce the national supervisory authorities’ investigative and banning powers granted by EU law. The Member States had to be able to take the measures necessary to safeguard the fundamental right to the protection of personal data under the Charter of Fundamental Rights of the EU. This required the national data protection authorities to have the means to launch their own investigations and make their own interim determinations about “adequacy” in matters already decided upon by the Commission and to refer those matters to national courts. A binding effect of decisions adopted by the Commission would inevitably limit this total independence.
  • Furthermore, the CJEU explicitly declared the Commission’s decision 2000/520/EC to be invalid. In the eyes of the CJEU, owing to its lack of guaranteed protection, the Commission’s decision did not satisfy the requirements of EU data protection law. This finding is mainly based on the fact that the Safe Harbor scheme was applicable solely to the U.S. undertakings which adhered to it, and U.S. public authorities were not themselves subject to it. The court added that legislation permitting the public authorities to have access to the content of electronic communications on a generalized basis would have to be regarded as compromising the essence of the fundamental right to respect for private life. Likewise, legislation not providing individuals with any possibility to pursue legal remedies in order to have access to personal data relating to them or to obtain the rectification or erasure of such data compromised the essence of the fundamental right to effective judicial protection.

Whether one agrees with the CJEU’s findings or not, this judgment will have an enormous impact on international companies’ practice of processing personal data.

Data transfers to the U.S. are now associated with high legal uncertainty. It will no longer be possible to rely on the status of (currently around 4,500) U.S. companies partaking in the Safe Harbor scheme to justify data transfers. In general, U.S. companies dealing with personal data of EU subjects will have to individually assess their respective legal data protection programs. Moreover, the total independence of 28 different national supervisory authorities might lead to significant differences in interpretation and application of EU data protection law within Europe. Additionally, the ruling is likely to affect not only data transfers to U.S. companies, but also to other countries which the Commission has previously considered to have adequate data protection regimes. These two aspects could possibly result in a situation where some recipient countries or methods of transfer are accepted by data protection authorities in some European countries but not in others until the CJEU has ruled on any question referred to it. This would make it very difficult for companies to transfer personal data out of the EU in a uniform way, requiring them to put different mechanisms in place in each EU Member State.

The most obvious way for U.S. companies to deal with these consequences might be the use of accepted Standard Contractual Clauses. Additionally, with regard to the employee data transfer at international companies in particular, the implementation of Binding Corporate Rules might be a possibility to comply with applicable EU data protection law. Nevertheless, the CJEU ruling could set a precedent that allows data protection authorities to question data transfers under these schemes, given that they as well have been considered appropriate by the Commission. A third way of justifying the transfer of EU citizens’ personal data to the U.S. might be the individual consent of each data subject concerned. The practicalities of the latter, however, remain to be seen considering the variety of national legislation on this question across Member States.

Moreover, it remains unclear whether these alternatives will satisfy national data protection authorities given the potential for conflicting legal process issued by U.S. law enforcement and intelligence agencies.

Some of the Safe Harbor scheme’s shortcomings addressed in the CJEU ruling might be mitigated by the so-called “Umbrella Agreement” the U.S. and the EU have been negotiating. The agreement is supposed to provide a new framework for data protection, and it is to be expected that the CJEU ruling will have an impact on the negotiations. Part of this framework is the U.S. “Judicial Redress Act of 2015” which is supposed to grant EU citizens access to redress before U.S. courts against unlawful data processing by government agencies. However, Congress has not enacted the legislation yet. Furthermore, due to the complexity of the subject matter and the exacting requirements set forth by the CJEU, it remains unclear for now whether all aspects of the CJEU ruling will be addressed even if the legislation and the Umbrella Agreement are implemented.