EUCJ finds US/EU Safe Harbour Agreement invalid

In a headline-making decision in Maximillian Schrems v Data Protection Commissioner, the European Court of Justice has invalidated the European Commission’s Decision 2000/520 (known as the “safe harbour decision”) on the transfer of EU citizens’ personal data from Europe to the US.

Until now the safe harbour decision has provided a simple way of achieving compliance with Article 25 of the EU data protection directive, which prohibits transfers of personal data to jurisdictions outside the EU unless they provide “adequate” privacy protections consistent with those available in the EU. The safe harbour decision allowed organisations to transfer EU citizens’ personal data to the US based on ‘self-certification’ that the transfer complied with certain principles outlined in the decision itself.

The latest ruling arises from a case brought by Maximillian Schrems, an Austrian privacy campaigner.  Schrems had asked the Irish Data Protection Commissioner to prohibit Facebook from transferring his personal data to the US, alleging that the US surveillance activities revealed by Edward Snowden meant that the US did not provide “adequate” protection within the meaning of Article 25.  The Data Protection Commissioner declined to investigate, taking the view that the safe harbour decision precluded any finding that protection was not “adequate”.  The EUCJ has now held that the safe harbour decision is invalid, and does not preclude member states’ privacy regulators from inquiring into the “adequacy” of protection in the US.

The ruling means that organisations transferring EU citizens’ personal data from Europe to the US will need to find other ways to comply with Article 25, for example, implementing ‘model contract clauses‘ through bilateral agreements for data processing, or encrypting or tokenising data before transfer.