In a much publicised ruling, the European Court of Justice declared on 6 October 2015 that the European Commission’s US Safe Harbor agreement is invalid. The ruling is expected to have important implications for internet cloud operators and social networks as well as for organisations that use cloud services based in the US to store personal data.
In response to the ruling, Commissioner Věra Jourová clarified at a press conference in Strasbourg, that the Safe Harbor principle is no longer applicable and that businesses will need to apply the other mechanisms available in the Data Protection Directive and Commission decisions until a new agreement with US authorities is in place. Alternatives include the Commission’s model clauses for transferring data to third countries without adequate data protection laws. There are also limited exceptions (as pointed out by Ms. Jourová at the press conference), but in most cases it will be necessary to have an agreement with data subjects with free and informed consent which raises particular issues in contexts where there is a preexisting relationship with the data subject, e.g. employees, as well as for consumer services where users are unlikely to read the terms that they agree to.
In addition to invalidating the Safe Harbor agreement, the court also held that the Commission does not have the competence to restrict national supervisory authorities’ powers in the way that the Safe Harbor scheme did. In particular, the national supervisory authorities must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements in the directive. Arguably, this opens for the possibility that the Commission’s model clauses are open to being deemed inadequate.
Additional noteworthy points made by the court include:
– National US law prevails over the Safe Harbor agreement which in effect means that the Safe Harbor principles would have to be discarded in case of conflict with national law, and the Safe Harbor scheme thus enables the interference with fundamental rights of EU citizens.
– The Safe Harbor scheme does not allow for legal recourse for the rectification and access of stored data, and that in itself is a breach of the fundamental right to effective judicial protection.
Ms. Jourová also confirmed at the press conference that the commission will start working towards a new “safer safe harbor” agreement in parallel with the ongoing negotiation of the new data protection regime. In particular, she highlighted the need for a coordinated response from the 28 national supervisory authorities. She added that the commission will present guidelines in the coming weeks to aid businesses following the ruling.
By Christian Ernhede
Swedish EU lawyer at PRUDENS