Skip to content

CJEU has declared Safe Harbor invalid


On 6 October 2015, in the Schrems case (C-362/14), the CJEU declared the Commission's 2001 decision on Safe Harbor to be invalid, with immediate effect. This CJEU judgment has wide ramifications, both in respect of the U.S. Safe Harbor scheme but also beyond. This short article elaborates what the decision is about and what it means for business.

What has happened?

On 6 October 2015, the CJEU declared the Commission's 2001 decision on Safe Harbor to be invalid, with immediate effect. The CJEU has also held that the existence of any Commission decision that a third country ensures an adequate level of protection (which applies, for example, to Argentina, Canada, Israel, New Zealand, Switzerland and Uruguay) cannot reduce the powers of national data protection authorities, opening up the possibility of future challenges to those adequacy findings as well.

This CJEU judgment has wide ramifications, both in respect of the U.S. Safe Harbor scheme but also beyond.

What is Safe Harbor?

Under the Data Protection Directive, transfers of personal data outside the EEA may, in principle, take place only if the receiving country ensures an adequate level of protection of the data. The Commission may find that a particular country ensures adequate protection, or other mechanisms can be used to legitimise the transfer, such as using the standard contractual clauses adopted by the Commission (the Model Clauses), or Binding Corporate Rules (for intra-group transfers). The Commission made a finding of adequacy with respect to transfers to U.S. companies who have signed up to the Safe Harbor scheme.

What is the case about?

However, following appeal to the Irish High Court, which in turn referred certain questions to the CJEU, the CJEU has ruled on two issues: (a) the validity of the Safe Harbor regime in relation to data transfer to the U.S., and (b) whether national data protection authorities can investigate and, if necessary, suspend data transfers, notwithstanding the existence of the Commission's decision that the receiving country is adequate.

What did the CJEU decide?

The CJEU, in general agreement with Advocate General Bot's opinion, has declared that the EC decision that Safe Harbor provides adequate protection is invalid. It emphasised that only the CJEU could make such a determination of invalidity.

Additionally, the CJEU confirmed that the Data Protection Directive does not prevent oversight by national supervisory authorities of transfers of personal data to third countries which have been the subject of a Commission adequacy decision.

The Irish DPA must examine Mr Schrems' complaint to decide whether transfer of the data of Facebook's European subscribers to the U.S. should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

What does this mean for businesses?

This decision will result in significant inconvenience to businesses in the short term, both for EU and U.S. entities.

European entities that transfer personal data from the EU to the U.S. on the basis of Safe Harbor will quickly have to find an alternative way to legitimise the transfer. The ICO in the UK recognises that it will take businesses "some time" to review how they ensure that data is transferred to the U.S. in line with the law, and the Commission in their press conference offered their support.

The same is true of any U.S. entity that relied on Safe Harbor in order to import data from EU countries. They will now have to choose between putting in place European servers (which could be costly and impractical) or putting in place an alternative way to legitimise the transfer.

The impact of this judgment will, of course, largely depend on whether organisations are relying solely on Safe Harbor for transfers, or are backing it up with other measures. Many large EU multi-national organisations already require Safe Harbor certified service providers to enter into Model Clauses and the immediate impact for those companies is likely to be limited.

Any entity transferring personal data from the EU to other jurisdictions held to be adequate by the Commission, may also consider finding supplementary ways in which to legitimise transfers to those countries. This is because the CJEU decision opens up the possibility of future challenges to the validity of those adequacy findings.

For those organisations who have not yet done so, it would be advisable to carry out an audit promptly to identify cases where an alternative solution needs to be put in place.

How easy is it to put in place Model Clauses?

The obvious alternative mechanism for legitimising cross-border data transfers to the U.S. is the use of Model Clauses. Commissioner Vera Jourova was clear in the press conference that Model Clauses (and BCRs) remain a valid alternative. However, putting in place Model Clauses is not always a quick solution. In some Member States, it is still necessary to file Model Clauses with the data protection authority or to have transfers undertaken pursuant to Model Clauses pre-authorised by the data protection authority.

What is the impact on national authorities?

National data protection regulators can expect to see a spike in enquiries from concerned parties as to how they will deal with the consequences of the CJEU's decision. Deputy Information Commissioner, David Smith, from the ICO in the UK states that the ICO plans to issue new guidance for businesses on data transfers shortly, once it has liaised with other EU data protection authorities.

Is Safe Harbor dead?

The Commission will be incentivised to agree a new Safe Harbor regime very quickly to meet the concerns raised with the current system. We understand that discussions are well advanced. The CJEU decision will certainly strengthen the hand of the EU negotiators but if they don't reach agreement fast, those affected will have already put in place alternative mechanisms for legitimising their transfers or will have changed their business models in an attempt to avoid the issue. This article first appeared as an eAlert on 6 October 2015

Legal and Regulatory Risk Note