EU-US Safe Harbour agreement invalid, court rules
6 October 2015 | 0
The Safe Harbour agreement on which many businesses rely for the transatlantic transfer of personal data is invalid, the Court of Justice of the European Union has ruled.
EU law requires that companies exporting citizens’ personal data do so only to countries providing a similar level of legal protection for that data. In the case of the US, the exchange of personal data is covered by the Safe Harbour Privacy Principles, which the European Commission ruled in July 2000 provide adequate protection. Businesses relying on the Safe Harbour agreement to transfer personal data from the EU to the US could now be operating illegally.
The CJEU provided a summary of the ruling, the full text of which will be published later.
The court was asked to rule on a matter of law in a case relating to Facebook’s transfer of EU citizens’ personal data to the US.
The question it was asked was: Is a national data protection authority bound by the European Commission’s decision of 26 July 2000, that the Safe Harbour agreement provides adequate privacy protection to personal data exported to the US, or may it investigate complaints about the level of protection provided in the light of events since that decision?
In a non-binding preliminary opinion last month the court’s Advocate General, Yves Bot, went far beyond that question, saying that not only should the data protection authority investigate complaints, but also that the Safe Harbor agreement is invalid because it provides inadequate protection.
The court’s Grand Chamber appears to have followed Bot’s opinion.
The Irish High Court referred the question to the CJEU in June 2014, in a case filed by Austrian citizen Maximillian Schrems in October 2013.
In June of that year, Schrems filed a complaint with the Office of the Data Protection Commissioner (DPC) disputing the level of privacy protection given to personal data about him held in the US by Facebook. He made the complaint in Ireland because Facebook’s European headquarters is there, putting its interactions with citizens of any EU country under Irish data protection law.
The DPC summarily rejected the complaint the following month, pointing to the Commission’s 2000 decision that the Safe Harbour principles followed by Facebook were adequate. Schrems asked the High Court for a judicial review of the DPC’s decision, prompting the court to refer the question about Safe Harbour to the CJEU.
IDG News Service