Bye for now, Safe Harbor. The Court of Justice of the European Union (CJEU) has ruled that the fifteen-year-old programme which has facilitated critical flows of data from Europe to the US is invalid.
Last week, we set the scene, publishing an article on Advocate General Bot's non-binding opinion in which he stated that the Safe Harbor programme should be declared invalid.
This week, the European Court of Justice (CJEU) ruled Safe Harbor invalid, with immediate and binding effect.
In its judgment dated 6 October 2015, the CJEU also decided that national data protection authorities have authority to examine, with complete independence, complaints concerning the protection of fundamental rights in relation to data processing. This must be so, it found, even in circumstances where the European Commission has adopted an decision declaring that the jurisdiction to which the data is being exported ensures an adequate level of protection of personal data -- as it had in relation to US companies participating in the Safe Harbor Programme.
The following key points on the Commission's adoption of such an adequacy decision were discussed by the CJEU in its judgment:
The European Commission was criticised by the Advocate General for failing to revise or suspend Safe Harbor as soon as it became aware, in 2013, of Edward Snowden's revelations about US surveillance of data in the US. In a statement issued by the European Commission in response to the CJEU judgment, the Commission stated that it will be issuing guidance for national data protection authorities on how to deal with data transfer requests to the US in light of the CJEU’s ruling “to ensure a coordinated response on alternative ways to transfer data". The Commission referred to alternative measures that can be put in place to permit the transfer of data abroad, such as binding corporate rules and model data transfer contracts.
The Commission stated that it would “step up” its ongoing discussions with US authorities “towards a renewed and safe framework for the transfer of personal data across the Atlantic”. The Commission’s statement suggests that it intends to continue in its approach of working towards a revised and renegotiated Safe Harbor programme.
We recommend those engaged in EU to US data transfer immediately review those arrangements, if they have not already done so. Monitoring the evolving situation, including political developments, is essential.
For further information, please contact Gráinne Murphy, Associate Solicitor at email@example.com.