The European Court of Justice Declares the Commission’s U.S. “Safe Harbour” Decision Invalid (October 6, 2015) [1]
On October 6, 2015, the European Court of Justice (Court) decided [3] in Maximillian Schrems v. Data Protection Commissioner to strike down the Commission’s U.S. “safe harbour” provision. The case arose out of the suit brought by a European Facebook user who had complained to Irish authorities about the transfer of his data to the United States, arguing that U.S. law did not provide “adequate protection of the personal data held in its territory against the surveillance activities” by public agencies. The Irish agency had declined to take action “since any question of the adequacy of data protection in the United States had to be determined in accordance with Decision 2000/520 and the Commission had found in that decision that the United States ensured an adequate level of protection.” The Court noted that while the Data Protection Directive [4] allows the Commission to issue a finding that a third country ensures an adequate level of protection, such a decision “cannot eliminate or reduce the powers expressly accorded to the national supervisory authorities” under the Charter of Fundamental Rights of the European Union and the directive. According to the press release [5], the Court stated that the national supervisory authority “must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with . . . the directive.” Turning to the Safe Harbour Decision, the Court noted that in order to be valid it would have to require “the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union.” The Court noted that U.S. authorities were able to access and process the data transferred from overseas in a manner that went “beyond what was strictly necessary and proportionate to the protection of national security” and pointed out that “the data subjects had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.” The Court therefore invalidated the Commission’s decision because it “enables interference, founded on national security and public interest requirements or on domestic legislation of the United States, with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States.”