In its decision on October 6, 2015 (file-no. C-362/14), the European Court of Justice (ECJ) stated that the commonly used Safe Harbor Principles, which were previously deemed to be a safe way to legally transfer data to the United States, are non-binding for national data protection authorities. Thus, after this judgment, the harbor is not “safe” anymore. The court’s decision causes great difficulties for a wide range of internationally operating companies that regularly transfer personal data to their U.S. parents.
The Facebook Case
In this case, the ECJ had to decide whether the national Irish data protection authority could independently investigate and assess a complaint from an Austrian citizen who claimed that the Irish subsidiary of Facebook illegally transferred his personal data to the United States and illegally saved them on a U.S. server. The Irish data protection authority rejected the complaint on the grounds that Facebook submitted itself to abide by the Safe Harbor Principles. Based on a decision of the European Commission on July 26, 2000, data transfer to a company that submitted itself to the Safe Harbor Principles, on which the U.S. Department of Commerce elaborated, was considered under European law to be “safe” (i.e., an adequate level of data protection was guaranteed). As Facebook met these standards, the transfer to Facebook’s U.S. server should have been considered absolutely safe and thus legal, given the European Commission’s decision.
Reasoning of the Decision
This held true until October 6, when the ECJ clearly rejected the widely used and regarded as secure Safe Harbor practice, despite the European Commission’s decision in 2000. The judges criticized several aspects of the Commission’s decision.
First, the ECJ found that the European Commission lacked the authority to make a binding decision on behalf of the national data protection authorities about whether companies that submitted themselves to abide by the Safe Harbor Principles met the required standard for a legal transfer. In addition, the ECJ emphasized that the European Commission failed to properly consider in its decision that in case of a conflict of laws, U.S. law supersedes the Safe Harbor Principles. Last but not least, the European Commission did not consider the key fact that U.S. state authorities are basically granted un-restricted access to any data transferred to the United States (as has been proven by the National Security Agency (NSA) scandals that Edward Snowden exposed). The ECJ complained that state authorities were not covered, and even more importantly not bound, by the Safe Harbor Principles. Also, the court noted that the individuals concerned had no administrative or judicial means of getting informed about their saved data or enforcing the saved data to be deleted.
What Does This Ruling Mean – in the Facebook Case and in General?
For the reasons above, the ECJ required the Irish state authority to examine the Facebook complaint with due diligence and, at the conclusion of its investigations, to decide irrespective of the Safe Harbor Principles whether the transfer of the data of European Facebook users [...]