Safe Harbor Declared Invalid Following EU Ruling

PUBLISHED: 29th October 2015

Bye for now, Safe Harbor. The Court of Justice of the European Union (CJEU) has ruled that the fifteen-year-old programme which has facilitated critical flows of data from Europe to the US is invalid.

Last week, we set the scene, publishing an article on Advocate General Bot's non-binding opinion in which he stated that the Safe Harbor programme should be declared invalid. 

This week, the European Court of Justice (CJEU) ruled Safe Harbor invalid, with immediate and binding effect. 

In its judgment dated 6 October 2015, the CJEU also decided that national data protection authorities have authority to examine, with complete independence, complaints concerning the protection of fundamental rights in relation to data processing.  This must be so, it found, even in circumstances where the European Commission has adopted an decision declaring that the jurisdiction to which the data is being exported ensures an adequate level of protection of personal data -- as it had in relation to US companies participating in the Safe Harbor Programme. 

The following key points on the Commission's adoption of such an adequacy decision were discussed by the CJEU in its judgment:

1. A Commission decision must not enable interference with the fundamental rights of EU citizens’ data. The Commission’s 2000 decision on Safe Harbor stated, “[c]learly, where US law imposes a conflicting obligation, US organisations whether in safe harbor or not must comply with the law”. This statement, the CJEU said, meant that Safe Harbor effectively “enables interference” with fundamental rights.
2. Any derogations or limitations of fundamental rights, including the right to privacy, for reasons such as national security must apply in a way that is “strictly necessary and proportionate”. A government’s access to personal data “without any differentiation, limitation or exception being made in light of the objective pursued and without objective criterion” cannot be considered “strictly necessary”.
3. The Commission must assess the content of the applicable rules in a country, including its domestic law and international commitments, and the practice designed to ensure compliance with those rules. The CJEU stated that the Commission’s 2000 decision endorsing Safe Harbor did not contain sufficient findings that the US provides adequate safeguards for personal data by its domestic law or international commitments.
4. The CJEU cast doubt on the reliability of the self-certifying nature of Safe Harbor, whereby companies themselves signed up to Safe Harbor but US public authorities were not required to comply with the Safe Harbor principles.
5. Even after the Commission has adopted a decision declaring that a country ensures an adequate level of protection of personal data, it must periodically review whether its decision on the adequacy of that country’s data protection is still factually and legally justified. Such a review is particularly required when new evidence (like Edward Snowden’s revelations regarding mass, indiscriminate surveillance by US agencies) creates doubt as to the adequacy of protection.
6. EU citizens must have judicial redress for breaches of their fundamental rights. Such redress must allow EU citizens to access the data relating to them and have it rectified or erased, where appropriate. Private dispute resolution mechanisms are insufficient.

The European Commission was criticised by the Advocate General for failing to revise or suspend Safe Harbor as soon as it became aware, in 2013, of Edward Snowden's revelations about US surveillance of data in the US.  In a statement issued by the European Commission in response to the CJEU judgment, the Commission stated that it will be issuing guidance for national data protection authorities on how to deal with data transfer requests to the US in light of the CJEU’s ruling “to ensure a coordinated response on alternative ways to transfer data".  The Commission referred to alternative measures that can be put in place to permit the transfer of data abroad, such as binding corporate rules and model data transfer contracts.

The Commission stated that it would “step up” its ongoing discussions with US authorities “towards a renewed and safe framework for the transfer of personal data across the Atlantic”. The Commission’s statement suggests that it intends to continue in its approach of working towards a revised and renegotiated Safe Harbor programme. 

We recommend those engaged in EU to US data transfer immediately review those arrangements, if they have not already done so.  Monitoring the evolving situation, including political developments, is essential.