In a momentous judgment, the European Court of Justice (“ECJ”) today invalidated the European Commission’s decision establishing the E.U.-US Safe Harbor for transfers of personal data (“Safe Harbor Decision”). The ruling was made with record dispatch, following on an Advocate General Opinion recommending invalidation that was delivered to the Court only two weeks ago.
Facts of the case:
In the wake of the 2013 Snowden revelations, Maximilian Schrems, an Austrian citizen, privacy activist, and Facebook user, lodged a complaint with Ireland’s Data Privacy Authority (“DPA”), claiming that his Facebook data (like that of other Facebook users) was being transferred by Facebook Ireland to servers located in the United States and unlawfully exposed there to surveillance by the U.S. intelligence services. When the Irish Data Protection Agency refused to investigate the matter, based on its view that it was constrained by the Safe Harbor Decision, Mr. Schrems filed for judicial review with the Irish High Court. Upon review, the Irish High Court asked the ECJ (i) to determine whether a data protection authority is bound by a Commission finding that the E.U.-US Safe Harbor framework provides adequate protection in the face of a complaint alleging it does not, and additionally, (ii) if the DPA may or must conduct an independent investigation of the matter.
The Decision of the ECJ:
The ECJ generally confirmed reasoning of Advocate General Yves Bot, as articulated in his Opinion of September 23, 2015. More specifically, the ECJ found that (i) the existence of a Commission decision finding that a country ensures an adequate level of protection of the personal data transferred cannot eliminate the powers of a DPA to investigate a claim that a specific transfer does not comply with the requirements of the Data Protection Directive, and (ii) the Safe Harbor Decision is invalid. Importantly, the ECJ’s decision, similar to the Opinion of its Advocate General, went beyond the initial request for a preliminary ruling which did not question the validity of the Safe Harbor Decision.
The ECJ’s core reason for invalidating the Safe Harbor Decision was based on its finding that the framework does not include rules limiting interference with individuals’ rights to privacy in the case of disclosures of personal data to national security authorities. The framework applies only to US undertakings that choose to adhere to it, and US public authorities are not subject to it. The ECJ concluded that US legislation authorizes “on a generalized basis, storage of all the personal data of all the persons whose data has been transferred from the European Union to the United States without any differentiation, limitation or exception being made in the light of the objective pursued.” In another important statement, the ECJ criticized the lack of judicial remedies to individuals, especially in relation to the right of access, rectification or erasure of personal data pertaining to them.
In conclusion, the judgment creates substantial legal uncertainty. The impact on similar Commission Decisions containing adequacy findings remains unclear and specific guidance of the European Commission and the Article 29 Working Party is expected in the days and/or weeks to come.
Alston & Bird is monitoring the impact of the decision and will provide further updates for companies in the coming days. At this stage, companies can already start reviewing the basis for their ongoing international transfers with a view to establishing the various options they could rely on.