European court enacted a decision effectively invalidating the EU-US Safe Harbour privacy principles

Data Protection

Uroš Popović

Publisher: Bojović & Partners

On 6 October 2015 the European Court of Justice enacted a decision (Schrems, case C- 362/04) by which it declared the EU-US Safe Harbour privacy principles invalid. 

As a reminder, it is necessary to mention that the Safe Harbour framework is the name of a policy treaty concluded between the United States Department of Commerce and the European Union in November 2000 to regulate the way that US-based companies import and handle the personal data of European citizens. Namely, as the EU enacted the Directive on Data Protection in 1998, which prohibited data transfer to non-European countries that did not adhere to stringent protection criteria prescribed under this Directive, this framework was actually a compromise in privacy procedures between US and EU set up in response to the respective EU directive that made transfer of personal data from EU member states to US more facilitating. With the Safe Harbour regime, all US companies subject to the agreement were authorized to proceed with data transfers without requiring individual authorization of national data protection authorities of the EU country in question. On the other hand, the US companies that did not join the Safe Harbour were obliged to obtain an authorization separately from each European member country.

As the Safe Harbour regime was declared invalid by the European Court of Justice which ruled that it violates the privacy rights of Europeans by not providing sufficient and adequate data protection mechanisms which exposes the EU citizens to allegedly indiscriminate surveillance by the US government, an EU company which is interested in transferring data to a US company will now have to rely on other available safeguards which will greatly impede the personal data traffic between the EU and US. This decision will mostly affect trade in the online advertising business and certainly its multi-billion dollar turnover reached in the last few years. 

Even though the US and European regulators are negotiating an updated Safe Harbour framework, the timetable of its enactment is unclear. In the meantime, the EU companies transferring data to US will have to rely on their national data protection authorities which will have to decide on a case-by-case basis whether a particular data transfer meets all the relevant requirements prescribed under the national legislation and EU Directive. In addition to this, the EU data protection supervisor has announced that it will issue a uniform set of guidelines for remaining compliant in the postSafe Harbour world new situation.

As this decision affects a huge number of companies - including the likes of Microsoft, Apple, Facebook and over 4,000 others, the companies engaged in transfers of personal data outside the EU are being advised to review and revise their existing data transfer agreements. Namely, if a company mostly relied on the Safe Harbour regime, it will have to rethink its approach and rely instead on binding corporate rules and/or model contracts for effectuating their personal data transfers from the EU to the US.