The US Safe Harbor scheme was established 15 years ago by the EU Decision 2000/250/EC of 26 July 2000 to provide a mechanism to validly transfer personal data from the EU to the US.

On 6 October 2015, the Court of Justice of the European Union (CJEU) stated that the European Commision’s decision no 2000/520/EC is invalid. As a result the US “Safe Harbor” scheme, concerning the protection of personal data, became not sufficient enough to transfer personal data.

The case was started by Maximillian Schrems, who demanded to prohibit Facebook Ireland from transferring his personal data to Facebook Inc. (with its seat in the US), justifying that the law and practice in force in that country did not ensure adequate protection (with regard to Edward Snowden’s disclosure concerning National Security Agency).

In the course of the proceedings, the High Court of Ireland noticed that this case concerned the implementation of EU law. According to the referring court, Decision 2000/520/EC does not satisfy the requirements flowing from the Charter of Fundamental Rights of the EU (concerning the right to respect for private life). Therefore, the High Court asked a question whether the Commissioner was bound by the above mentioned decision, which created Safe Harbor scheme, or whether he is authorized to break free from such a finding and conduct his own investigation.

In those circumstances the High Court decided to refer the previous questions to the Court of Justice for a preliminary ruling.

First of all, the CJEU noticed, that the Member States are required to set up a public authority responsible for monitoring, with complete independence, compliance with EU rules on the protection of individuals with regard to the processing of personal data. Such authority in Poland is Główny Inspektor Ochrony Danych Osobowych (GIODO).

GIODO, according to the EU law, should possess a wide range powers, in particular investigative powers, such as the power to collect all the information necessary for the performance of its supervisory duties, effective powers of intervention, such as that of imposing a temporary or definitive ban on processing of data, and the power to engage in legal proceedings.

Moreover, GIODO is responsible for monitoring compliance with the EU rules concerning the protection of individuals with regard to the processing of personal data. Then, having acknowledged that transfers of personal data to third countries does not ensure an adequate level of protection, GIODO has a power to prohibit such transfer.

The CJEU also stated, that a Commission decision, such as Decision 2000/520/EC, cannot prevent persons, whose personal data could be transferred, from lodging with the GIODO a claim, concerning the protection of their rights. Such a decision can not eliminate or reduce powers expressly accorded to the GIODO.

Therefore, among other reasons, the Decision 2000/520/EC was found invalid.

As a result, GIODO has a right to examine, with complete independence, whether the transfer of personal data complies with the requirements laid down by the EU law, so that persons, whose personal data has been or could be transferred were not denied the right to protect their fundamental rights. Then, if GIODO comes to the conclusion, that the arguments put forward by the applicant are unfounded – he rejects the claim, opening to the applicant an access to judicial remedies. On the other hand, if the claim is considered well-founded, GIODO must be able to put forward those objections before the national courts in order for them to make a reference for a preliminary ruling for the purpose of examination of the decision’s, such as Decision 2000/520/EC, validity.

As a consequence of invalidation of the Decision 2000/520/EC and the Safe Harbor, GIODO gained the right to make independent assessments on adequacy for any personal data transfers and, moreover, for any alternative to Safe Harbor arrangements.

About the Author

Back to list

Read also