The Harbor is No Longer Safe

The Court of Justice of the European Union (CJEU) has ruled in the Schrems case that the Safe Harbor programme used as the legal basis for transfers of personal data to the USA is invalid as it does not sufficiently protect privacy rights of individuals as required by European Data Protection legislation.

Key Facts

Max Schrems is an Austrian Facebook subscriber living in Austria. All Facebook users living in the EU have their personal data transferred from Facebook’s Irish subsidiary servers to the United States (US).

Under the eighth Data Protection principle transfers of personal data to countries outside of the EU are only permitted if adequate protections are in place in the territory to which the data are transferred. In 2000, the EU and the US agreed the Safe Harbor principles through which US companies self-certify compliance (Decision 2000/520).

Following the Edward Snowden revelations about mass surveillance by the National Security Agency through the PRISM programme, Safe Harbor’s credibility was questioned. While the EU and the US began negotiations to address this issue, Safe Harbor as a programme was not withdrawn.

Mr Schrems complained to the Irish Data Protection Commissioner (DPC) that US law was not providing adequate protection, although the DPC did not investigate because the Decision by the European Commission had found that it provided adequate protection.

Mr. Schrems brought judicial review proceedings before the Irish High Court, which in turn referred the matter to the CJEU in order to clarify whether the DPC was bound by the Decision and also whether the DPC should conduct its own investigation.

Opinion of the Advocate General

Unusually for those used to the UK court system, the CJEU has an independent lawyer known as the Advocate General (AG) who gives an opinion to the court.

With regard to the first question whether the DPC was bound by the Decision, the AG said that in his view the CJEU should assess the validity of that Decision.

The Decision had been in place for 15 years and the assessment by the Court should consider the new circumstances focusing on the legal and factual context. As “adequate level of protection” is the criterion, AG Bot said there are two fundamental elements: the content of the applicable rules and the means of ensuring compliance.

Applying these elements to the facts, Safe Harbor as a self-certifying scheme enables collection of personal data including access being given to US intelligence authorities, without citizens benefiting from effective judicial protection. According to AG Bot this means that Safe Harbor does not contain sufficient guarantees and its implementation does not satisfy European Data Protection legislation requirements. Further, citizens are left with no appropriate remedy against processing of their personal data.

As an example AG Bot said that Facebook may be required to give access to US authorities to data it has received from the EU in order to comply with US legislation. This is permitted by Safe Harbor, although its compatibility with primary EU law is questioned in this case.

The broad wording used in the Decision and the access which US agencies may have compromise the essence of the fundamental right to privacy. Further, whether the interference meets an objective of general interest allowing derogation is not sufficiently defined.

Overall AG Bot concluded that the Decision must be declared invalid since the existence of the imprecise derogation within the scheme prevents it from providing adequate protection.

With regard to the second question, AG Bot said that when a national supervisory authority receives individual complaints, it is not prevented by virtue of its investigatory powers and independence from forming its own opinion on the general level of protection ensured by a third country and drawing appropriate conclusion when determining individual cases. Context is particularly important when considering this issue and the independence of national supervisory authorities derives from primary EU law, which they must maintain in order to investigate complaints submitted to them.

According to AG Bot, if a national supervisory authority determines that the transfer of data undermines the protection which citizens must enjoy regarding processing of their data, it has the power to suspend the transfer of the data in question, irrespective of assessments made by the Commission.

Within the Decision there is a procedure to suspend transfer of data under certain circumstances. However, it is so narrow that it would be difficult to put into practice. Further, the European Parliament has determined the powers of national supervisory authorities and the Commission is not empowered to restrict such powers. As such where there are allegations that privacy rights are infringed, national supervisory authorities must have the power to investigate and where there are strong indications of rights of citizens being breached, they must be able to suspend the transfer of such data.

Therefore, the AG’s recommendation to the CJEU were: (i) that Safe Harbor should be held to be invalid and (ii) the DPC has the power to investigate similar arrangements and where warranted suspend them.

Decision of the Court of Justice of the European Union

With regard to the first question, the Court recalled that “adequate protection” is not defined, only that adequacy “shall be assessed in light of all the circumstances surrounding a data transfer operation or set of data transfer operations”.

While “adequate” does not mean an identical level of protection is to be guaranteed, it does mean a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the EU.

As conditions in the third country are likely to change, it is incumbent upon the Commission to periodically check that the adequacy of protection offered by the third country is factually and legally justified and such a check is required when there is evidence giving rise to doubt that it remains the case.

In the present case, a system of self-certification is not in itself contrary to the requirements of the European Data Protection legislation. The reliability of such a system is to be found in the establishment of effective detection and supervision mechanisms enabling infringements of the rules to be identified and punished.

In considering the different aspects of the Safe Harbor programme, the Court found that there aren’t sufficient findings regarding the measures by which the US ensures an adequate level of protection. In addition derogations of “national security, public interest or law enforcement” have primacy over the Safe Harbor principles without sufficient limitations.

The Court also found that the decision does not contain any rules intended to limit any interferences when pursuing a legitimate interest such as national security. Further, the Commission noted that data subjects had no administrative or judicial means to seek redress.

Overall the Court said that legislation is not limited to what is strictly necessary where it authorises on a generalised basis storage of all data without any differentiation, limitation or exception in light of the objective pursued, without an objective criterion which determined access, for purposes which are specific, strictly restricted and capable of justifying the interference. Permitting such access on a generalised basis “must be regarded as compromising the essence of the fundamental right to respect for private life”. Further, not providing the opportunity for individuals to seek redress to access their personal data, to rectify or erase does not respect the fundamental right to judicial protection.

The Court concluded that the Safe Harbor principles fail to comply with the European Data Protection legislation and accordingly that the Decision is invalid.

With regard to the second question, the Court recalled that the independence of national supervisory authorities derives from primary EU law and it is intended to ensure effectiveness and reliability in monitoring compliance concerning protection of personal data when processed. National supervisory authorities must ensure a fair balance between observance of the right to privacy and the interests requiring free movement of personal data.

As national supervisory authorities are responsible for monitoring compliance with EU Data Protection legislation when individual’s personal data is processed, they have a vested interest when this is transferred to a third county.

The Commission is permitted by the Data Protection Directive to adopt a decision finding that a third country ensures an adequate level of protection. Until such time that such a decision is declared invalid by the Court, Member States and national authorities including independent supervisory authorities cannot adopt measures contrary to such a decision.

However, this does not prevent a data subject whose personal data have been transferred or is about to be transferred to a third country from bringing a claim before the national supervisory authority. Further, as AG Bot outlined, a decision of the Commission cannot eliminate or reduce the powers expressly provided to national supervisory authorities. In particular, the European Data Protection regime does not exclude from the national supervisory authorities’ sphere of competence oversight of transfers of personal data to third countries which are subject to a Commission decision. If that has been the case, this would prevent individuals who would want to make a claim before their respective national supervisory authorities from doing so.

National supervisory authorities who face such claims are under an obligation to examine them with all due diligence. If the national supervisory authority finds that the objections of the data subject are well founded, the authority must be able to engage in legal proceedings. It is for the national legislation to provide legal remedies enabling the national supervisory authority to put forward the objections before the national courts as to the validity of a decision, which if shared may make a preliminary ruling referring the matter to the CJEU for further interpretation.

Overall, the Court found that the Safe Harbor programme which was established through a European Commission Decision to be invalid. In addition, that having such a decision in place which provides that a third country provides adequate protection does not prevent a national supervisory authority from investigating an individual complaint and initiating legal proceedings where appropriate.


This is an important decision for a number of reasons. Firstly, it can have a huge impact on data sharing with the US in different contexts as well as other third countries who may not in fact be providing adequate protection even if they were assessed in the past as doing so. This means that data controllers need to be especially careful when considering the software or service providers that they are using; whether any third countries are involved and how personal data is being protected when processed.

Secondly, it points out the fluidity of this area of the law as the Court has agreed that conditions may change and transfer of data can only be lawful if arrangements are keeping pace with factual and legal developments.

Thirdly, while this decision may mean that there will be changes in relation to transfer of personal data to third countries, it comes at a critical time when this whole area of the law is being overhauled. With the introduction of the General Data Protection Regulation, these changes may be codified and introduced in one go. However, it may still take some time for the final text of the Regulation to be concluded and in the meantime data controllers should consider taking necessary steps to ensure that their practices are in line with this decision.

Forbes Solicitors have experience in assisting businesses, organisations and charities with a range of data protection matters. If you have a question about this decision or any other matter please contact Daniel Milnes.

Nat Avdiu

About Nat Avdiu

Nat Avdiu is a Paralegal in the Contracts and Projects team at Forbes Solicitors. Nat provides updates for clients on a range of issues including: governance, data protection and freedom of information, procurement and charity law.
This entry was posted in Corporate & Restructuring, Housing Litigation, Sports Law and tagged , , , , , , , , , , , , , , , .