On 6 October 2015, the Court of Justice of the European Union ruled that decision 2000/520/CE of the European Commission is invalid. This decision had determined that the transfer of data to the United States under the Safe Harbor principles guaranteed an adequate level of protection for personal data.
Under Directive 95/46/EC of 24 October, of the European Parliament and of the Council, the transfer of personal data to a country outside the European Economic Area (of which all Member States of the European Union and Norway, Iceland and Lichtenstein are part), depends on a level of protection in the third country equal to the one existing in the EU.
It is the European Commission that decides whether a country outside the EEA guarantees an adequate level of protection.
In this context, by a decision of 26 July 2000, the European Commission determined there was an adequate level of protection in transferring personal data from the EU to US companies that had voluntarily signed up to the Safe Harbor principles. Safe Harbor is a self-certification mechanism with a set of rules agreed between the European Commission and the US Department of Commerce.
Controversy arose when the Irish personal data regulator rejected the complaint by Austrian citizen Maximillian Schrems on the basis of the Commission's decision. On the basis of revelations made by Edward Snowden about the use of personal data by US security agencies, Schrems complained about the absence of an adequate level of protection for personal data transferred to the USA under the Safe Harbor Agreement.
Unhappy with the response of the regulator, Maximillian Schrems appealed to the Irish courts. These courts were faced with the question of whether the Commission's decision prevents national regulators from evaluating the adequacy of the level of protection for data transferred to the USA. To answer the question, the Irish courts used the preliminary ruling mechanism to seek the opinion of the Court of Justice of the European Union (CJEU).
As a result, the CJEU (in case C-362/04, Schrems) declared the Commission's decision invalid. It did so on the grounds, first, of the violation of fundamental rights in processing of personal data by the USA and, secondly, of the fact that the Commission's decision cannot eliminate or even reduce the powers available to the national supervisory authorities, preventing them from investigating complaints independently.
The CJEU found that the Commission had based its decision on Safe Harbour, when Directive 95/46/EC requires that the question of whether there is a level of protection substantially equivalent to the one existing in the EU should be decided by analysing the internal legislation and international commitments of the third country.
Furthermore, the CJEU held that Safe Harbor itself does not ensure an adequate level of protection. This is because whenever national security, the public interest or US legislation requires it, Safe Harbor is excluded and any personal data transferred is subject to unlimited use.
The CJEU also pointed out the absence of any legal channels to protect the fundamental rights to a private and family life and the right to protection of personal data. This is because people have no means rectifying or withdrawing any of their data once it has been transferred.
Finally, the CJEU concluded that the national supervisory authorities could not, under any circumstances, see their powers restricted by decisions of the Commission. This is because they have full independence to investigate violations of fundamental rights and, as a consequence, prevent the transfer of personal data without the guarantee of an adequate level of protection.
Following this decision, anyone responsible for processing of personal data established in Portugal who wishes to transfer personal data to the USA should not base their decision to do so on the fact that the importer of the data has signed up to Safe Harbour.
Importantly, even if a subcontractor is transferring the data to companies in the USA under Safe Harbour, the person responsible for processing will remain responsible for these transfers.
The only reliable method for transferring personal data to the USA for those responsible for data processing who are established in Portugal is now to use the EU model contractual clauses.
Nevertheless, the Article 29 Working Party (WP29) – a body for cooperation between the regulators from all EU Member States – has already announced that it will issue guidelines on compliance with the applicable law following the decision in the Schrems case. It will certainly be crucial to analyse these guidelines.
As a consequence of the CJEU's ruling, we recommend that all companies that transfer personal data to the USA under Safe Harbor should look closely at the basis on which they make these transfers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.