In a decision sure to have widespread implications for over 4,500 US companies doing business in Europe and anyone else who accesses data from the continent, the European Court of Justice ruled yesterday that the 15 year-old data-sharing arrangement known as "Safe Harbor" is invalid.

Background: Claim Against Facebook

The case involves a claim against Facebook brought by Austrian Maximillian Schrems. Mr. Schrems discovered the social media company had gathered over 1,200 pages of his personal information and pursued relief with the Irish Data Protection Commissioner (DPC). The DPC rejected Mr. Schrems' complaint, pointing to the "Safe Harbor" provision of the 1995 EU Privacy Directive 94/46/EC. That Directive states that US companies may collect an EU user's personal data after obtaining his or her consent if there is an "adequate level of data protection."

Advisory Opinion: Warning Shot Fired

Mr. Schrems appealed, which led to a March 2015 hearing before Advocate General Yves Bot on the threshold issue of whether the DPC could or should have even investigated Mr. Schrems' complaints. AG Bot issued an advisory opinion on September 23, 2015, not only stating that the DPC should have answered Mr. Schrems' complaint, but going a step further and stating that the "Safe Harbor" provision was invalid.

In light of Mr. Schrems' example and Edward Snowden's 2013 revelations concerning data collection by US intelligence agencies, AG Bot stated: "the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data," a right guaranteed by the EU's Charter of Fundamental Human Rights.

ECJ Ruling: Data-Sharing Arrangement Struck Down

The case moved to the European Court of Justice (ECJ), which, moving at breakneck speed, reached its decision in less than two weeks.

The ECJ's October 6, 2015 decision first determined that the Irish DPC had the power to rule on the adequacy of the Safe Harbor. It then examined the DPC's decision and held that Safe Harbor provisions are incompatible with the right to privacy under the EU Directive.

What Does This Mean For Employers?

While it may take some time before the true impact of this decision is fully understood, it is very likely to throw into doubt the way many companies do business in the EU. Such companies, and any with EU employees, will need to revisit their business practices if they do not meet another exception to the proscription on data transfer under Directive 95/46/EC.

Some exceptions, like amending contracts to permit piece-by-piece data transfer, using model contractual clauses or ad-hoc contracts reviewed by state privacy officers, or even obtaining user consent, may work in the interim. But it remains to be seen what the full impact of the ruling will be for multiple small operations that may not benefit from contractual language permitting data transfer.

The ECJ's ruling is below:

  1. Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
  2. Decision 2000/520 is invalid.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.