• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy Blog

  • Home
  • Services
  • Events
  • Contacts

European Court of Justice Strikes Down Safe Harbor

October 6, 2015 By Privacy & Data Security Team

In a momentous judgment, the European Court of Justice (“ECJ”) today invalidated the European Commission’s decision establishing the E.U.-US Safe Harbor for transfers of personal data (“Safe Harbor Decision”).  The ruling was made with record dispatch, following on an Advocate General Opinion recommending invalidation that was delivered to the Court only two weeks ago.

Facts of the case:

In the wake of the 2013 Snowden revelations, Maximilian Schrems, an Austrian citizen, privacy activist, and Facebook user, lodged a complaint with Ireland’s Data Privacy Authority (“DPA”), claiming that his Facebook data (like that of other Facebook users) was being transferred by Facebook Ireland to servers located in the United States and unlawfully exposed there to surveillance by the U.S. intelligence services. When the Irish Data Protection Agency refused to investigate the matter, based on its view that it was constrained by the Safe Harbor Decision, Mr. Schrems filed for judicial review with the Irish High Court. Upon review, the Irish High Court asked the ECJ (i) to determine whether a data protection authority is bound by a Commission finding that the E.U.-US Safe Harbor framework provides adequate protection in the face of a complaint alleging it does not, and additionally, (ii) if the DPA may or must conduct an independent investigation of the matter.

The Decision of the ECJ:

The ECJ generally confirmed reasoning of Advocate General Yves Bot, as articulated in his Opinion of September 23, 2015. More specifically, the ECJ found that (i) the existence of a Commission decision finding that a country ensures an adequate level of protection of the personal data transferred cannot eliminate the powers of a DPA to investigate a claim that a specific transfer does not comply with the requirements of the Data Protection Directive, and (ii) the Safe Harbor Decision is invalid. Importantly, the ECJ’s decision, similar to the Opinion of its Advocate General, went beyond the initial request for a preliminary ruling which did not question the validity of the Safe Harbor Decision.

The ECJ’s core reason for invalidating the Safe Harbor Decision was based on its finding that the framework does not include rules limiting interference with individuals’ rights to privacy in the case of disclosures of personal data to national security authorities. The framework applies only to US undertakings that choose to adhere to it, and US public authorities are not subject to it. The ECJ concluded that US legislation authorizes “on a generalized basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued.” In another important statement, the ECJ criticized the lack of judicial remedies to individuals, especially in relation to the right of access, rectification or erasure of personal data pertaining to them.

In conclusion, the judgment creates substantial legal uncertainty. The impact on similar Commission Decisions containing adequacy findings remains unclear and specific guidance of the European Commission and the Article 29 Working Party is expected in the days and/or weeks to come.

Alston & Bird is monitoring the impact of the decision and will provide further updates for companies in the coming days. At this stage, companies can already start reviewing the basis for their ongoing international transfers with a view to establishing the various options they could rely on.

Filed Under: Data Protection, Enforcement, Financial Privacy, Health Privacy, International, Mobile Privacy, Online Privacy, Privacy, Regulation, Security Breach Tagged With: Cross-border, EU Data Protection, EU Regulation, European Court of Justice, European Union (EU), Max Schrems decision, Safe Harbor

Reader Interactions

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy & Data Security team and focuses on key data privacy and data security issues.


Countdown to CCPA Effective Date


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


PRIVACY MAILINGS
Click Here to Sign Up

FOLLOW US
on Twitter Click Here


Secondary Sidebar

Categories

Recent Posts

  • Critical Audit Matters Disclosure Implicates Information Technology and Security
  • SHIELD Act Overhauls New York’s Data Breach Notification Framework
  • Alston & Bird Details 21 Potentially Significant Impacts from Draft CCPA Regulations
  • California Releases Proposed CCPA Regulations
  • Senior Privacy, Cybersecurity Partner Wim Nauwelaerts Joins Alston & Bird
Copyright © 2019 · Alston & Bird · All Rights Reserved. Privacy.
This website uses cookies to improve functionality and performance. By continuing to browse this site, you are consenting to the use of cookies on this website. OkCookie policy