No data "safe harbour" in USA, EU court rules

6th October 2015 | europe , human rights , information technology

Transfer of data from Europe to the USA by companies such as Facebook could be suspended following a decision today by the Court of Justice of the European Union.

Judges in Luxembourg held that the EU Commission had not been entitled to make its "Safe Harbour" decision, declaring that data transferred to the USA enjoyed an adequate level of privacy protection, as the revelations by Edward Snowden showed that there was insufficient protection against surveillance.

The case was referred by the Irish courts after Maximillian Schrems, an Austrian citizen, complained that data he posted to Facebook was transferred from Facebook’s Irish subsidiary to servers located in the United States, where it was processed. The Data Protection Directive provides that the transfer of personal data to a third country may, in principle, take place only if that third country ensures an adequate level of protection of the data. The Irish Data Protection Commissioner rejected the complaint, on the basis, in particular, of the Commission's decision, adopted in July 2002, and Mr Schrems challenged this before the courts.

The Irish court asked first of all whether the Commission decision has the effect of preventing a national supervisory authority from investigating a complaint about the USA. The Court of Justice held that the existence of the decision could not eliminate or even reduce the powers available to the national authorities, which had to be able to examine, with complete independence, whether the transfer of a person’s data to a third country complied with the requirements laid down by the directive. However, the EU court alone had jurisdiction to declare the decision invalid and a case had to be referred to the court if it raised such a question.

Considering whether the Safe Harbour decision was invalid, the court noted that the scheme to which it referred was voluntary and that US public authorities were not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevailed over the scheme, "so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements". 

Under EU law, legislation was not limited to what was strictly necessary where it authorised, on a generalised basis, storage of all the personal data of all the persons whose data was transferred from the EU to the United States "without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use".

The court added that "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life". Further, there was no possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, which compromised the essence of the fundamental right to effective judicial protection.

The Safe Harbour decision also denied the national supervisory authorities their powers where a person called into question whether the decision was compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Commission did not have competence to restrict the national supervisory authorities’ powers in that way.

For all those reasons, the court declared the Safe Harbour decision invalid. The Irish supervisory authority will now have to examine Mr Schrems’ complaint and decide whether transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data in terms of the directive.

Initial reaction to the decision has been predictions that businesses, especially those based in the US, will face major difficulties putting alternative arrangements in place, especially as the court did not allow any delay before its ruling came into effect. The European Commission is to give a press conference later as to how it will react to the ruling.

Click here to view the court's opinion.