EU Court of Justice declares Safe Harbor mechanism for EEA/US data transfers invalid

7 October 2015

Introduction

In its landmark Schrems/Facebook decision of 6 October 2015, the Court of Justice of the European Union declared the Safe Harbor scheme for transfer of data from the European Union to the United States of America invalid. Therefore, organizations can no longer rely on the Safe Harbor scheme for the transfer of personal data from the Netherlands to the US.

Transfer of personal data from the EEA to the US 

This decision limits the possibilities to transfer personal data from the European Economic Area to the United States of America. Parties that have until now only relied on the Safe Harbor mechanism for the transfer of personal data from the Netherlands to the US, will have to update their legal framework for the transfer of personal data to ensure continued compliance with the Dutch Data Protection Act (Wet bescherming persoonsgegevens).

The transfer of personal data from the EEA to a third country outside the EEA is – in principle – only allowed if the third country in question ensures an adequate level of protection of personal data (article 76 Wbp). In addition, article 77 Wbp specifies certain exemptions which allow the transfer of personal data to a country which does not ensure an adequate level of protection, such as using the EU standard model clauses.

In its decision of 26 July 2000, the European Commission decided that a transfer of data pursuant to the Safe Harbor certification system of the US Department of Commerce provided an adequate level of protection. Pursuant to this decision, a transfer of personal data from the European Economic Area to a US company which adheres to the Safe Harbor scheme was allowed under the Wbp. 

Schrems/Facebook decision 

In the Schrems/Facebook decision, the EU Court of Justice assessed whether the Safe Harbor scheme ensures a level of protection essentially equivalent to that guaranteed within the EU. The scheme is applicable solely to the US undertakings which adhere to it, and US public authorities are not themselves subject to it. The EU Court of Justice observes that national security, public interest and law enforcement requirements of the US prevail over the Safe Harbor scheme, so that US undertakings are obliged to disregard the rules of the Safe Harbor scheme where they conflict with such requirements.

The EU Court of Justice further observes that US legislation which authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the US without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the personal data and of its subsequent use, is not limited to what is strictly necessary.

As a consequence, the EU Court of Justice declares the Safe Harbor mechanism invalid.

In addition, the EU Court of Justice decided as a more general rule that even where the European Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data (such as the Safe Harbor decision), a national supervisory authority may still examine whether the transfer of personal data to that third country complies with the requirements of the EU legislation on the protection of personal data, and where appropriate suspend or prohibit the transfer of such data. 

Practical consequences

Effective immediately, organizations can no longer rely on the Safe Harbor scheme for the transfer of personal data from the Netherlands to the US. This does however not affect other legal grounds for the transfer of data to the US, such as the use of the EU standard model clauses, relying on consent, or implementing Binding Corporate Rules.

Organizations that have relied on the Safe Harbor scheme for the transfer of personal data to the US should investigate whether they can already rely on other legal grounds for such transfer, and should, where necessary, implement measures (such as using the EU standard model clauses) to ensure continued compliance with the Dutch Data Protection Act.

Please contact Houthoff' Privacy and Data Protection team for any questions regarding this decision and the transfer of personal data to the US.