- 13 Oct 2015
In a ground-breaking decision of 6 October in the case Schrems vs. the Irish Data Protection Commissioner, the European Court of Justice (ECJ) has declared the “Safe Harbor” gateway to be invalid. Many businesses rely on the “Safe Harbor” to validate transfers of personal data from the EU to the US. The court’s decision can have a big impact on businesses that transfer personal data to a company of the same group or a service provider in the US.
The Safe Harbor gateway is the subject of an agreement entered into between the European Commission and the US, and determines a number of conditions for the transfer of personal data to US companies. Indeed, in accordance with European and Belgian privacy rules, a transfer a personal data to a country outside the EU is in principle prohibited, unless it has an adequate level of protection. If a US company had signed up to the Safe Harbor gateway and complied with its rules, a transfer of personal data to the US could take place on this basis according to the European Commission.
The ECJ’s decision is the result of a case that privacy activist Max Schrems had introduced against the Irish Data Protection Commissioner regarding the transfer of his personal data by Facebook Ireland to servers of Facebook in the US. He had seized his chance, amongst others thanks to the revelations of whistleblower Edward Snowden about online surveillance activities of the US intelligence services.
According to the ECJ, national regulatory bodies, such as the Belgian Privacy Commission, can investigate whether or not the US affords an adequate level of protection, and could contradict the European Commission’s decision that “Safe Harbor” would automatically provide for an adequate level of protection of personal data. Moreover, the court has gone further and said the Safe Harbor decision by the European Commission is invalid.
As a result, the transfer of personal data from the EU to the US that is solely based on the Safe Harbor gateway could be deemed unlawful.
A political reaction is expected. The European Commission and the US are still negotiating about the strengthening of the conditions for a transfer of personal data to the US. Moreover, it is to be expected that the future European Data Protection Regulation, that will replace the current European Data Protection Directive and the Belgian Data Protection Act, will also provide a modification of the mechanisms for the transfer of personal data.
In the meantime, it is difficult to predict how strict national regulatory bodies, amongst which the Belgian Privacy Commission, will accept the validity of transfers of personal data to the US that rely exclusively on Safe Harbor.
> Action point
If your company transfers personal data to the US, and if you rely for this (only) on “Safe Harbor”, you will have to look for alternatives from now on, such as for example the insertion of standard clauses in contracts with US companies.