The European Court of Justice (ECJ) has declared the Safe Harbor Agreement between the US Department of Commerce and the European Commission invalid. Thus, the ECJ confirmed the Opinion of the Advocate General Yves Bot of 23 September 2015, who came to the conclusion that the Safe Harbor Agreement with the United States violates data protections laws and is therefore legally invalid.
As attorney Christian Solmecke, an expert in the field of IT law stated, “the consequences for companies are severe”. “In future, each and every internet user must be explicitly asked for their consent on data transfer in the United States and at the same time instructed about the possibility of arbitrary monitoring of data by the US intelligence services. Citizens like Max Schrems may now look forward to a more successful outcome of their claims to the supervisory authorities.”
Companies now face a great challenge
Starting from 06 October 2015, any and all data transfers are legally invalid. This does not apply to data transfers, which took place in the past. Nonetheless, transferring of data in future now bears significant legal uncertainty for the companies involved.
The major problem is, as Mr Solmecke explains, “that the US Patriot Act, which ultimately undermined the Safe-Harbor Agreement, will not be suspended. Considering this, any possible solution, for instance by agreeing on Standard Contractual Clauses will fail due to this legislation. As long as US intelligence services are entitled to access data of EU citizens, adequate data protection in accordance with the EU principles will not be guaranteed.
Only if each and every citizen declares their consent with this ongoing practice may effective data protection be ensured. Achieving this would require enormous efforts on part of the companies. They must provide the users with detailed declarations of consent regarding data transfer.
In particular, they must instruct the users that US authorities are entitled to access their data at any time. Furthermore, users would be entitled to revoke their consent at any time and demand erasure of the data. This would represent a great challenge for business processes within companies. Considering the ECJ’s present ruling, I don’t see another possible solution to transferring data to the United States lawfully.”
What is the background of the Safe Harbor Agreement?
The Safe Harbor Agreement came into force in 2000, after the US Department of Commerce made the seven “Principles of Safe Harbor” available to the public. The European Commission decided that these principles guarantee an adequate level of protection when transferring data from the EU and thus established the basis for a lawful transfer of EU citizens’ personal data to servers of US companies. Without such an agreement, data transfer would have been illegal as the EU Data Protection Directive (95/46/EC) does not allow the transfer of personal data into countries, which do not have a comparable with the EU level of data protection. This applies to the United States.
The Agreement enabled US based companies to make a formal commitment towards the Safe Harbor Principles, which contain specific provisions with respect to personal data transfer. The goal was to achieve legal certainty when transferring personal data to these companies. Up until now, a total of 4.410 companies have bindingly accepted the Safe Harbor Principles, among them Facebook, Google, Twitter and Yahoo.
US Patriot Act undermines Safe Harbor
The problem is however that the US Patriot Act, a federal piece of legislation adopted as part of the fight against terrorism, enables US security agencies under some circumstances to access data saved by companies without prior consent of the concerned individual. This enraged data protection specialists, who considered the Safe Harbor Agreement to be virtually worthless as a result of this practice. The transferred data would not be subject to the protection, which the agreement originally aimed to achieve.
How did the current ECJ proceedings come about?
Max Schrems, a citizen of Austria, sought to challenge this practice by the US security agencies. He initially brought his claim to the competent Irish Data Protection Commission but it rejected to follow up with the claim and only referred him to the wording of the Safe Harbor Agreement. After this, Mr Schrems brought the claim before the Irish High Court, which in turn requested a clarification from the ECJ as to whether or not the Data Protection Commission did indeed lack authority to consider the claim and evaluate a possible legal violation. With its present ruling, the ECJ denied this.
The Court established that national data security authorities are indeed entitled to assess a claim brought to them as to whether the data transfer in a particular case satisfies the existing data protection requirements or not, regardless of the fact that the EU Commission considers data transfers into the US lawful, based on the Safe Harbor Agreement. The ECJ went even a step further and declared the entire agreement invalid.
The reason for this is the Commission did not sufficiently consider at the time of its decision on Safe Harbor whether the United States does indeed “guarantee” an adequate level of data protection based on its national legislation. The Court further stated that, without necessarily having to assess content of the Safe Harbor Principles, it must be concluded that Article 1 of the Decision 2000/520 violated Article 25 (6) of Directive 95/46/EC, which itself is an expression of the basic requirements of the Charta. Therefore, it is legally invalid. Please follow this link to read the grounds of the ruling: Judgement of the Court