Safe Harbor is the name of a policy agreement established between US Department of Commerce and the European Union (EU) to regulate the way US companies export and handle personal data of EU citizens, which is based on the EU Decision 2000/520/EC of 26 July 2000.

On 6 October 2015, the Court of Justice of the European Union (CJEU) stated that the European Commision’s decision no 2000/520/EC is invalid. As a result, the US “Safe Harbor” scheme, concerning protection of personal data, became not sufficient enough to transfer personal data.

The applicant in this case was Maximillian Shrems, an Austrian resident and a user of Facebook. Any person residing in the EU, who wishes to use this social network is required to conclude, during the registration, a contract with Facebook Ireland, a subsidiary of Facebook Inc. (established in the US). Some or all of the personal data of Facebook users are transferred to servers belonging to Facebook Inc., where it undergoes processing.

Mr Shrems made a complaint, in which he demanded to prohibit Facebook Ireland from transferring his personal data to the US, justifying that the law and practice in force in that country did not ensure adequate protection (with regard to Edward Snowden’s disclosure concerning National Security Agency).

After the dismissal of his complaint made by the Data Protection Commisioner (a defendant in this case), Mr Shrems brought an action before the High Court of Ireland (a referring court). The High Court ruled that the Commissioner was wrong in rejecting the claim.

However, the High Court noticed that this case concerned the implementation of EU law. According to the referring court, Commision Decision 2000/520/EC does not satisfy the requirements flowing from the Charter of Fundamental Rights of the EU (concerning the right to respect for private life).

Therefore, the High Court decided to ask a question whether the Commissioner was bound by the Decision 2000/520/EC, stating that the US ensures the adequate level of protection (Safe Harbor regime), or whether he is authorized to conduct his own investigation.

In those circumstances the High Court decided to refer the previous questions to the Court of Justice for a preliminary ruling.

First of all, pursuant to the EU regulations, transfers of personal data to third countries may be effective only in full compliance with the provisions adopted by the Member States. As a result, the national supervisory authorities are responsible for monitoring compliance regulations of the third country with the EU rules concerning the protection of the individual and for deciding if they ensure an adequate level of protection. The above mentioned decision may be issued by both the Member State or the Commission.

An example of such action made by the Commission is the Decision 2000/520/EC, which constitutes the Safe Harbor scheme.

The CJEU stated that all EU documents, inasmuch as they govern the processing of personal data liable to infringe the fundamental freedoms, in particular the right to respect for private life, must be interpreted in the light of the fundamental rights guaranteed by the Charter. The main purpose of the Charter is to ensure effective and complete protection of the fundamental rights, in particular the fundamental right to respect for private life with regard to the processing of personal data, which is also guaranteed by the independence of national supervisory authorities, that were established in order to strengthen the protection of individuals.

The CJEU noticed also that, pursuant to the Decision 2000/520/EC, national security, public interest or law enforcement requirements’ have primacy over the Safe Harbor principles. As a result, self-certified US organizations receiving personal data from the EU are bound to disregard those principles without limitation where they conflict with the above mentioned requirements and therefore prove to be incompatible with them. In addition, the Decision 2000/520/EC does not refer to the existence of effective legal protection against such interference.

The CJEU invalidated the Decision 2000/520/EC. Moreover, the CJEU stated that the decision, in which the Commission finds that the US ensures an adequate level of protection, does not prevent a supervisory authority of a Member State from examining the claim of a person concerning the protection of his rights and freedoms regarding the processing of personal data.

About the Author

Back to list

Read also