European Court of Justice Tosses US-EU Safe Harbor

European Court of Justice Tosses US-EU Safe Harbor

Austrian Maximillan Schrems filed a complaint against Facebook to challenge the US-EU Safe Harbor program, relying heavily on revelations about the NSA’s data collection practices. The Irish data protection authority (which regulates Facebook’s European activities), rejected the complaint since, under the US-EU Safe Harbor program the European Commission had already determined that the United States ensures an adequate level of protection of the personal data transferred.

As explained earlier, a preliminary opinion by the Court’s Advocate General Yves Bot found that

  • the law and practice of the United States allow the large-scale collection of the personal data of citizens of the EU which is transferred, without those citizens benefiting from effective judicial protection;
  • The access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data, which are guaranteed by the EU Charter; and
  • Since the access which the United States intelligence authorities may have to the personal data covers, in a generalized manner, all persons and all means of electronic communication and all the data transferred (including the content of the communications), without any differentiation, limitation or exception according to the objective of general interest pursued, it cannot be regarded as ensuring an adequate level of protection, and this is all the more so since the safe harbor scheme as defined in the Commission decision does not contain any appropriate guarantees for preventing mass and generalized access to the transferred data.

The European Court of Justice held:

  • the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. Thus, even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim,must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive.
  • EU citizens have a fundamental right to respect for private life and any legislation that limits their ability to pursue legal remedies compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.
  • The Safe Harbor denies national authorities this power and is therefore invalid.
  • As a result, Irish authorities must examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

Even absent the EU-US Safe Harbor Agreement, a company may transfer data collected from EU citizens if they obtain user consent (which has burdensome record keeping obligations) or via approved standard contractual language permitting such transfers.