ECJ rules Safe Harbour EU-US data sharing agreement is invalid

Following the opinion of Advocate General Yves Bot, the court has ruled that the Safe Harbour agreement did not eliminate the ability of member states’ watchdogs to check whether US firms had adequate data protection measures in place.

The case was brought by an Austrian law student and privacy campaigner,Maximillian Schrems, who was concerned that Facebook was sharing European personal information with US intelligence.

Mr Schrems lodged a complaint with the Irish data protection authority – the Data Protection Commissioner – taking the view that, in the wake of Edward Snowden’s revelations concerning the activities of the US spy agencies, in particular the National Security Agency (NSA), the law and practices of the US offer no real protection against surveillance by the US of the data transferred to that country.

The Irish authority rejected the complaint, primarily on the ground that in a decision of 26 July 2002 the Commission considered that under Safe Harbour the United States ensures an adequate level of protection of the personal data transferred.

But US companies will now be urgently looking for replacement measures as they rely on the agreement to move data from the EU to the US.

The Safe Harbour agreement was made in 2000 and was meant to provide a “streamlined and cost-effective” way for US companies to gather data from the EU without infringing its rules as the EU forbids data being sent to jurisdictions whose privacy safeguards are inadequate.

Over 5,000 US firms benefit from the arrangement which sees them self-certify that they are undertaking the steps to protect individuals’ information.

The immediate consequences of the ruling are that Safe Harbour certification will no longer be a sufficient guarantee that data will be protected.

Daradjeet Jagpal, an associate at Harper Macleod who specialises in data protection issues, spoke to our partners at Scottish Legal News about the ruling.

He said: “The implications of the decision cannot be underestimated: Safe Harbour no longer provides ‘adequate protection’ in terms of the EU Data Protection Directive and the UK Data Protection Act 1998.

“Any organisation that has relied on the Safe Harbour framework to justify the transfer of personal data from the EU to a Safe Harbour accredited recipient in the US, which includes transfers by e-mail transmission and uploads to cloud-based services based in the US, must act immediately to legalise its transfer arrangements following the CJEU decision.

“Organisations have a number of options. They can make a self-assessment as to the adequacy of US data protection laws from legal, political and economic perspectives, which is not recommended following on from this morning’s decision and the level of risk involved.”

Mr Jagpal added: “They can also seek to adduce ‘adequate safeguards’ - a lesser standard than adequate protection but still acceptable under the EU Data Protection Directive and the UK Data Protection Act 1998 - by using either the European Commission’s model data transfer clauses or by using their own clauses, whether standalone or incorporated into a wider commercial agreement.

“A third possibility for larger, international organisations is to rely on their internal “binding corporate rules” or data protection policies to justify the transfer, which must be approved in advance by the Information Commissioner’s Office for UK-based organisations.”