Sail away from the Safe Harbor
On the 6th of October 2015 the Court of Justice of the European Union (CJEU) decided that the European Commission decision which incorporated the Safe Harbour regime into EU law (2000/520 EC) was invalid.
For the last 15 years the Safe Harbour regime had allowed over 4,000 US companies to declare they were in compliance with EU Data Protection laws. The CJEU held that the fundamental rights of EU citizens were being infringed as the US did not provide a level of protection of fundamental rights equivalent to EU law.
The decision originated from a referral of the Irish High Court after a complaint made by an Austrian student, Max Schrems, who complained to the Irish Data Protection Commissioner that the transfer by Facebook Ireland of data to Facebook Inc. in the US was not in compliance with EU data protection laws.
The decision has implications for all EU companies who transfer data to US companies which are Safe Harbour certified. European companies will have to look to alternative legal structures to govern the data transfer instead.
The decision is indicative of an increasing level of regulatory and judicial intolerance of infringements of individual data privacy rights. This decision will require a comprehensive evaluation of how a business enables its data to flow between the EU and the US.
The Schrems case was returned to the Irish High Court for a final ruling on Schrems’ challenge to the Data Protection Commissioner’s decision not to investigate his complaint against Facebook Ireland. On 20th October 2015 the Data Protection Commissioner consented to investigating the adequacy of protection afforded under US law to the personal data of Facebook’s European users, taking account of the criteria set out in the CJEU’s judgment.