De Gaulle Fleurance & Associés comments the ECJ judgment invaliding the European Commission’s US Safe Harbor Decision

On October 6, 2015, the Court of Justice of the European Union (ECJ) has declared invalid the European Commission’s US Safe Harbour Decision rendered in 2000.   This Safe Harbour Framework had for its purpose to consider the US as offering an adequate level of data protection to data coming from the EU subject to compliance with a list of conditions by undertakings transferring the data.   Here are the major points of this new judgment which we thought may be of interest to your activity.   1. What are the major points of the October 6, 2015 judgment?   (i) The ruling relates to a case brought to the Irish High Court by Austrian citizen M. Schrems over the transfer of data to the US by an Irish subsidiary of Facebook. (ii) The ECJ judgment (i.e. the answer to a question referred for a preliminary ruling), follows a legal opinion from Advocate General Yves Bots of September 23, 2015 arguing that the US Safe Harbour should be struck down. (iii) Although this has been highly criticized by the United States, the ECJ holds that the European Commission did not make sure that the United States ensures, by reason of its domestic law or its international commitments, a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the EU Directive on data protection read in the light of the Charter of Fundamental Rights of the European Union, as it was required to. (iv) According to the ECJ, the European Commission’s Safe Harbour cannot usurp powers of EU data protection national authorities. It cannot reduce their powers available under the said EU Directive and Charter. (v) The ECJ criticizes the European Commission for having merely examined the Safe Harbour scheme. The ruling highlights that such Safe Harbour scheme is only applicable to United States undertakings which adhere to it and does not bind United States public authorities. Also, the ECJ alleges that the Safe Harbour scheme enables interference with national security, public interest and law enforcement requirements that prevail over it. (vi) According to the ECJ, a legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life. This is allegedly particularly true when such legislation does not provide a possibility for an individual to pursue legal remedies in order to have access to, obtain the rectification or the erasure of personal data relating to him. (vii) Finally, no reference is made in the ECJ’s ruling to any grace period that would allow US companies to establish their new arrangements before Safe Harbour ceases to be valid.   2. What are the main consequences of this judgment?
  • Under current EU case law, Safe Harbour framework’s invalidity shall be considered as immediate , with a retroactive effect on data transfers already conducted as of the implementation of the Safe Harbour in 2000. Therefore, companies may no more rely on the Safe Harbour for continuing any transfer of data to the US.
  • The European Commission is required to take the necessary measures to comply with the judgment of the ECJ considering that the Umbrella Agreement on the exchange of personal data between the EU and the US for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism is in the process of being finalized after achievement of the negotiation phase between the EU and the US early in September 2015. The Commission could negotiate a new “Safe Harbour” agreement with the US. If so renegotiated, it shall take account of the ECJ’s ruling and impact.
  • In this respect, clear reference is made in ECJ’s ruling to the obligation to read the 1995 EU Directive on data protection in light of the Charter of Fundamental Rights of the European Union. The same will apply to the awaited new EU Regulation on the protection of personal data which is supposed to enter into force in the coming months to replace the 1995 EU Directive. In view of this obligation, EU Parliament and Council, as well as Member States legislatures will be seriously limited, now and in the future, in any efforts to mitigate the effects of the october 6, 2015 Safe Harbour decision. And this shall be true for a long term.
  • Regarding the specific action of Mr. Schrems, the Irish DPA will have to examine whether the transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that the country does not afford an adequate level of protection of personal data. One should remind oneself of the principal that “the Court of Justice does not decide the dispute itself. It is for the national court or tribunal to dispose of the case in accordance with the Court’s judgment, which is similarly binding on other national courts or tribunals before which a similar issue is raised”.
  3. What are our recommendations by now ?
  • Relying on available alternative ways offered by the Directive on data protection to continue transferring data to the US i.e. binding corporate rules or European Commission model clauses for data transfer agreements.
  • In your capacity as data controller or data processor, auditing your existing data transfer contracts portfolio and data processing procedures implemented in the field, to identify where and how data flows are taking place. Update your relevant contracts in light of October 6, 2015 ECJ’s ruling to ensure compliance with EU law on data protection.
  • Contacting the competent local supervisory authorities to obtain their position and implement their recommendations on a country by country basis. The European Commission has announced that it will contact the national supervisory authorities in the EU in order to implement a coordinated action in light of the ECJ’s ruling and provide them with practical guidelines. It also commits to offer assistance and help to businesses who are looking for answers on how to facilitate data transfers in light of the decision. Relevant information and contact points will be published on the Commission’s website hopefully soon.
  • Staying focused on results of the possible renegotiation of the Safe Harbour Agreement and as the case may be, conducting any pertinent action to contribute to the orientation of these negotiations’ results.
  Links :       Should you have any question, please do not hesitate to contact our team.