Data Protection: Safe Harbour – What Next?

In this briefing we look at the recent Court of Justice decision to invalidate the Safe Harbour and we examine the implications of this decision in light of other recent data protection cases and in light of the progress being made in finalising the proposed new EU Data Protection Regulation.

SAFE HARBOUR DECLARED INVALID

Background

As has been widely reported, the Court of Justice of the EU determined on 6 October 2015 that the European Commission Decision underpinning the Safe Harbour (2000/520/EC) was invalid. The Court's decision comes on foot of a referral from the Irish High Court arising from a complaint made by an Austrian Student, Maximillian Schrems. Mr Schrems complained to the former Irish Data Protection Commissioner (DPC), Billy Hawkes, that Facebook Ireland's data transfers to Facebook Inc in the US were not compliant with EU data protection laws. Mr. Schrems' concerns appeared to be based principally on the grounds that his data could be subject to mass and indiscriminate surveillance by the National Security Agency in the United States in light of the Edward Snowden revelations. As the transfers were subject to Facebook's Safe Harbour certification, and on the basis that Safe Harbour was one of the basis approved by the EU Commission under the Data Protection Directive to validate such transfers, the DPC had rejected Mr Schrems' complaint. He appealed this decision to the Irish High Court who in turn referred the matter to the CJEU.

Grounds for the CJEU Decision

The CJEU decision to invalidate the Safe Harbour regime was made on two technical grounds. First, the Commission Decision approving the Safe Harbour was invalid as it failed to sufficiently examine the data protection standards in the US to ensure, by reason of US domestic law or its international commitments, a level of protection of fundamental rights which were equivalent to those guaranteed in the EU. Secondly the Decision potentially deprived data subjects of their rights of access to Data Protection Supervisory authority to exercise independent oversight of data controllers within their jurisdiction.

These may seem to be rather technical reasons for reaching such a drastic decision. From a US perspective in particular, the decision may seem perplexing in that one organ of the EU, the CJEU, has now overruled another organ, the EU Commission, in relation to an issue that was already under review in light of the Snowden revelations.

However, the decision is not that surprising in the context of an increasing body of caselaw which...