EU Court of Justice Declares the US Safe Harbor for the Transfer of Data to Be Invalid

Written by: Richard Sheinis, Esq.

In a ruling that can have great ramifications for technology companies, and almost any U.S. company that does business in the EU, the EU Court of Justice has ruled that the Safe Harbor provisions, which for years has allowed companies to transfer personal data from the EU to the U.S., is invalid.

The case came about when Maximillian Schrems, an Austrian citizen and Facebook user since 2008, filed a complaint against Facebook.  As is the case for many EU residents who subscribe to Facebook,  some or all of the data provided by Mr. Schrems to Facebook was transferred from the EU  to servers located in the United States.  Schrems complained to the Irish Data Protection Commissioner that in light of the revelations from Edward Snowden regarding the activities of the U.S. intelligence agencies, the laws of the U.S. do not provide sufficient privacy for personal data transferred to the U.S. from the EU.

The EU Data Protection Directive states that when personal data of an EU resident is transferred to a country outside the EU,  the receiving country must provide a level of protection of fundamental rights, including privacy, equivalent to that guaranteed within the EU under the Directive.  The Safe Harbor scheme has, until now, been used to ensure an adequate level of protection of the personal data transferred to the U.S.  Although the Safe Harbor scheme is not a law to which companies must adhere, companies can agree to abide by the Safe Harbor requirements so as to be considered a “safe” company to transfer personal data from the EU to the U.S.  Facebook, and many other companies, have agreed to abide by the Safe Harbor provisions so as to enable them to legally transfer personal data from the EU to the U.S.

In Schrems case, the Court of Justice found that U.S. government agencies, in the interest of national security, public interest and law enforcement, are allowed to disregard, without limitation, the protective rules laid down by the Safe Harbor scheme.  The Court stated that permitting the government to have access on a generalized basis to the content of electronic communications compromises the fundamental right to respect for private life.

The Court also found that legislation in the U.S. does not provide any possibility for an individual to pursue legal remedies to have access to data relating to him, or to erase or rectify such data.  This compromises the fundamental right to effective judicial protection regarding the individual’s data.  For these reasons, the court found that the Safe Harbor provisions were invalid as they do not comply with the requirements of the EU Data Protection Directive.

The Court referred the case back to the Irish authorities to decide whether the transfer of data of Facebook’s European users to the U.S. should be suspended on the ground that the U.S. does not provide an adequate level of protection of personal data.

Please contact me, rsheinis@hallboothsmith.com,  with any questions about how this ruling may affect your company.