Breaking news: CJEU declares the EU-US "Safe Harbor" decision invalid

United Kingdom

This article was produced by Nabarro LLP, which joined CMS on 1 May 2017.

Summary and implications

On 6 October 2015, Europe’s highest court, the Court of Justice of the European Union (CJEU), gave its landmark ruling in the case known as Schrems v Facebook (Schrems C-362/14). The decision declares that the current self-certification regime that permits transfers of personal data from the EU to companies in the US, the so-called Safe Harbor Agreement, is invalid. It also confirms that individuals have the right to challenge European Commission decisions relating to data transfer schemes through their national information regulator.

Facts

Mr Schrems had an account with Facebook which was administered in Ireland. His personal data were passed to various Facebook servers in the US. In transferring the data outside Europe, Facebook relied on a European Commission decision issued in 2000 (known as the Safe Harbor Agreement). This is, in essence, a self-certification scheme intended to ensure “adequate protection” for personal data transferring from the EU to the US. Mr Schrems objected to this practice. He claimed that, following revelations made by Edward Snowden regarding the US surveillance programme, PRISM, the US did not sufficiently safeguard the privacy of his personal data. PRISM allows certain US security agencies access to the US-based servers of companies which are compulsory members of the scheme.

Mr Schrems – a privacy campaigner who was crowd-funded to bring the case – sought a declaration that the activities of Facebook in exporting his personal data to the US were not lawful. He made his complaint to the Irish information regulator which ultimately referred the matter to the CJEU, as a question of over-arching EU law.

CJEU's decision

The CJEU agreed with the earlier non-binding Advocate General's Opinion (23 September) which we wrote about here. It made two findings: 

  1. The European Commission's Safe Harbor Agreement which states that the US has an "adequate level of protection" does not prevent a national information regulator from examining a claim by an individual that the laws and practices in force in the US do not in fact provide adequate protection.  
  2. The European Commission's decision permitting data transfers to the US on the basis of the Safe Harbor Agreement is invalid. This stems from the wide derogations from privacy protection that were afforded under the Safe Harbor Agreement. The European Commission had accepted the derogations without any manifest basis for concluding that they could only be used in a suitably limited fashion. The decision therefore did not amount to a finding as required by European law, that by reference to the Safe Harbor Agreement, the US ensures "a level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order".  

Implications of the CJEU's decision

The Safe Harbor Agreement can no longer (at least, for the present) be relied upon as a valid legal mechanism for data transfers from the EU to the US. Therefore any company that relies on, or uses an outsourced service provider (i.e. a US cloud) that relies on, Safe Harbor for data transfers to the US may now lack a legal basis on which to continue the transfers. 

Following today's decision, the European Commission released a press statement confirming that it will continue to move forward with the renegotiation of the Safe Harbor Agreement – something which it has been doing since 2013. Conspicuously, the press statement gave no immediate comfort to those relying on the Safe Harbor Agreement and instead referred to the possibility for companies to use alternative legal bases for their international data transfers, such as the adoption of European Commission-approved standard contractual clauses.

The US government has criticised the understanding of the PRISM mechanism that has informed the proceedings in this case. Writing in the Financial Times today immediately prior to the ruling, the chief lawyer of the office of the Director of National Intelligence, Robert Lit, stated that the US legal regime is "…focused and reasonable. It does not involve 'mass' and 'unrestricted' collection of data…" Clearly it is vital that the renegotiation of a new Safe Harbor mechanism should proceed on the basis of a full understanding of the position, and as swiftly as possible. Any delay to complete this work will be depressing for companies that have been relying on Safe Harbor for the huge volumes of transatlantic data transfers they make daily.