The European Court of Justice declares the Safe Harbor Agreement between the European Union and the United States invalid

In the Schrems decision, the ECJ ruled that the agreement between the EU and the US, which allows for a transfer of personal data to companies in the United States ("Safe Harbor"), is invalid. Data transmission based on this agreement is therefore not permitted.

Background

In general, a transfer of personal data to companies outside the EU or the EEA is only permitted if these companies, among other conditions, guarantee an adequate level of data protection. This must always be ensured and reviewed by the transmitting company. In accordance with the Safe Harbor Principles, such an adequate level of data protection without further examination was assumed for US companies that voluntarily committed themselves to the principles and registered on a list of the US Department of Commerce.

The origin of the decision was a legal dispute between Austrian lawyer Max Schrems and Facebook that has been smoldering since 2011 and that has received a large amount of attention from the press. Schrems had complained that Facebook was transferring his data to the US and storing it there. To this end, he requested that the Irish Data Protection Commissioner (located in the European headquarters of Facebook) take action against Facebook. The Commissioner refused, referring to the Safe Harbor Principles.

The Judgment of the ECJ, file no.: C-362/14

The ECJ ruled that the European Commission's decision regarding the Safe Harbor Principles was inconsistent with the Charter of Fundamental Rights of the EU. The caveat contained in the Safe Harbor provisions that enables virtually unconditional access by public authorities to personal data does indeed not allow for a general assumption that an appropriate level of protection is provided by US companies. In addition, the competences of national supervisory authorities are severely restricted by the agreement. It should at least be required that supervisory authorities could examine whether the level of protection provided was appropriate following a petition by an affected individual.

Comment

In its decision, the ECJ has, ultimately, agreed with a criticism that has been voiced by some German data protection supervisory authorities for a long time. Nevertheless, the decision can safely be called a thunderbolt. The consequences for companies and for supervisory authorities are currently not foreseeable.

Contrary to some press releases, the ECJ has not ruled that data transmission to the United States is generally prohibited. On the contrary, the transmitting company and the supervisory authorities are obligated to review each individual case.

Pursuant to the ECJ's decision, companies that want to transfer information to the USA (for example, to other group companies) now bear even more responsibility. In addition to all other conditions, they must now also review whether the data recipient provides an adequate level of data protection. Whether this can be ensured solely through the conclusion of appropriate agreements is doubtful, in view of the clarity with which the ECJ has criticized the surveillance activities of US intelligence agencies.

IT services (such as cloud solutions) by US companies are also affected by this new development to a very significant extent, even if the contractor has a location in the EU. Companies that have so far relied on the "Safe Harbor" certification of providers should, therefore, review their data protection concept as soon as possible.