EU Court of Justice makes Safe Harbor Decision history

Newsroom 04/11/2015 | 13:20

The European Court of Justice struck down a decision from the European Commission that may have repercussions on the way personal data of EU users is processed by American companies and affect certain digital industries. The decision was also made to stop American authorities from gaining access to European-only data.

 

Otilia Haraga

The chain of events that led to the ruling of the European Court of Justice started with a complaint formulated by Austrian Maximillian Schrems, a Facebook user since 2008.

According to the press release from the EU Court of Justice, some or all of the data provided by Schrems to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, for processing, as, in fact, is the case of other EU subscribers.

Schrems lodged a complaint with the Irish Data Protection Commissioner. He pleaded that in  light of the revelations made in 2013 by Edward Snowden concerning the activities of the U.S. intelligence services, the U.S. law does not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.

The Irish Data Protection Commissioner rejected the complaint, on the grounds that under the Safe Harbor Decision made by the European Commission, the U.S. ensures an adequate level of protection of the transferred personal data, according to the press release.

The case was then brought to the High Court of Ireland, which referred it to the European Court of Justice, in order to ascertain “whether that Commission’s decision has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data,” the press release writes.

The ruling of the European Court of Justice struck the Safe Harbor decision of the European Commission, on the grounds that it should not override the powers of the national supervisory authorities.

However, the Court also required the Irish supervisory authority to examine Schrems’ complaint and decide whether the data transfer of Facebook’s European subscribers to the U.S. should be suspended, according to the press release.

“This is an important decision, especially because it shows us the preeminence of personal data protection, as part of the European legal system, in front of commercial interests,” Bogdan Manolea, founder of the website www.legi-internet.ro and a member of the Association for Technology and Internet, tells BR.

 

More rights for European citizens

According to Manolea, this ruling “strengthened the independence and decision power of data protection authorities in member states, who are not compelled to follow the decision of the Commission, if they believe these do not have serious grounds.”

“It also showed that a simple European citizen, armed with tenacity and patience, can prove that the principles of the fundamental rights should be at the base of all decisions, including those made by the Commission,” comments Manolea.

Under the Safe Harbor decision adopted by the European Commission on July 26, 2000, the transfer of personal data to a third country may take place only if that third country ensures an adequate level of data protection, by reason of its domestic law or its international commitments. “Each member State should designate the national supervisory authorities that are responsible for monitoring the application, within its territory, of the national provisions adopted on the basis of the directive,” according to the press release of the European Court of Justice.

What the ruling of the European Court of Justice does, is to give more decisional power to national privacy regulators. According to the institution press release, “even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim, must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive.”

The decision has been hailed by some personal data privacy advocates.

“This is a beneficial measure for European citizens, because it shows them that their rights matter, and the Commission is compelled to take into account all of them, in all its actions,” Manolea tells BR. However, it may pose complications for American companies that are dealing with Europeans’ personal data.

“American companies should consider, in all seriousness, the way in which they observe personal data processing principles in the EU, and there should be ways in which users’ rights should be respected in reality, not only on paper,” comments Manolea.

But American companies may be just one of the entities targeted by this decision.

The Court also explained in the press release that it struck down Safe Harbor to limit the interference of American public institutions into European affairs.

Thus, according to the Court, “the scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it.”

Moreover, “national security, public interest and law enforcement requirements of the United States prevail over the Safe Harbor scheme, so that U.S undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements,” says the press release.

The Court concludes in the press release that: “The United States Safe Harbor scheme thus enables interference by United States public authorities, with the fundamental rights of persons.”

 

The bigger picture

“The current problem between the EU and the USA is rather at legal and policy level- which affects businesses as well, through lack of a clear regulation framework which should stipulate all the conditions in which EU citizens’ personal data can be processed in the USA,” comments Manolea.

In fact, negotiations regarding the personal data framework have been going on between the two continents for 2 years, “which also included the replacement or perfecting of the Safe Harbor system,” says Manolea.

“However, during these 2 years, they rather came to a standstill. As a result, the decision of the EU Court of Justice should rather step up these negotiations, because for lack of an agreement between the two parties, many digital businesses could be affected,” comments Manolea.
He believes the best solution would be the adoption of “a general data protection framework between the EU and USA, which would probably require some additional regulations on this topic in the United States.”

 

Implications for Romania are still not clearIulian Popescu, partner at Musat & Asociatii, believes that the impact of this decision on personal data transfers made by operators established in Romania, as a member of the European Union, is still hard to evaluate.

He argues that this invalidation can impact both future data processing activities as well as current ones that are ongoing in accordance with Safe Harbor certifications in order to transmit personal data to entities in the USA.

At the moment this article went to print, there was not yet any official position on this topic from the Romanian National Personal Data Protection Authority.

Bogdan Mihai, managing associate and coordinator of the data protection department of Musat & Asociatii says that “a decisive factor in avoiding bottlenecks is the reaction speed of data operators towards the new rules.

He argues that “analyzing the data flow and planning the implementation of new suitable warranties should be made before a concrete reaction from the authority. Realigning to new regulations can require rather large implementation periods,” he comments.

BR Magazine | Latest Issue

Download PDF or read online: December 2022 Issue | Business Review Magazine

The December 2022 issue of Business Review Magazine is now available in digital format, featuring the main cover story titled “Xclusiverse: Going Beyond the Traditional Ways of Doing Business.”
Newsroom | 19/12/2022 | 18:45

    You will receive a download link for the latest issue of Business Review Magazine in PDF format, based on the completion of the form below.

    I agree with the Privacy policy of business-review.eu
    I agree with the storage and handling of my data by business-review.eu
    Advertisement Advertisement
    Close ×

    We use cookies for keeping our website reliable and secure, personalising content and ads, providing social media features and to analyse how our website is used.

    Accept & continue