By Daniel L. Farris
The European Court of Justice has declared the EU Commission’s Safe Harbor decision invalid, putting at risk the transfer of data from the EU to the United States pursuant to a system used by 4,000 or so large U.S. companies.
In essence, the decision requires EU member state Data Protection Authorities (DPAs) to investigate complaints related to any company’s transfer of personal data from Europe to the United States. Companies relying on Safe Harbor are at serious risk of being ordered to suspend all transfer of data, until they can implement alternative means to comply with the legal obligations set forth by European law.
The decision could have immediate impact on EU-US trade, and is likely to leave many companies scrambling to find alternatives to Safe Harbor.
The case, Schrems v Data Protection Commissioner, involves an Austrian citizen who complained to the Irish DPA that Facebook’s transfer of data from the EU back to the U.S. violates his privacy rights, as afforded by the EU Data Protection Directive. The claim arose after Edward Snowden revealed that the NSA had broad access to data and information stored on U.S. servers. In September, an opinion of independent Advocate General Yves Bot called into question the entire Safe Harbor agreement, which permits U.S. companies to self-certify compliance with the EU Data Protection Directive.
In delivering its ruling, the ECJ held that “[t]his judgment has the consequence that the Irish supervisory authority is required to examine Mr. Schrems' complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook's European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data."
For assistance in understanding how the ECJ Decision may affect your company, auditing privacy and data security compliance programs, drafting model agreements, or preparing Binding Corporate Rules, please contact the author or a Polsinelli Privacy and Data Security team member.
By Daniel L. Farris