Van Kaam advocaten


IP, media and privacy law are constantly moving. Its boundaries are challenged daily. What's allowed and what's not. Herein lies the core of our work. Work that keeps challenging and inspiring us.

filter on category:

European Safe Harbour Decision invalid


The European Court of Justice (''ECJ'') has rendered an important judgment in a case about the transfer and storage of European personal data in the United States. The court ruled that the European Safe Harbour Decision does not provide an adequate level of protection of personal data. Based on this agreement organisations such as Google, Facebook, Microsoft, Apple, Amazon and Twitter got permission to store data from Europeans in the U.S. In total there are over 5000 organisations transferring personal data based on these decision.


Background: Schrems vs. Facebook
The ruling is the final judgment in a case between the Austrian student Maximillian Schrems and Facebook. All Facebook subscribers residing in Europe must sign an agreement with Facebook Ireland, an Irish subsidiary of the American Facebook Inc. The data provided by subscribers to Facebook is transferred, in whole or in part, to servers in the U.S., where it is processed. Schrems lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner). According to Schrems the law and practice of the U.S. do not offer sufficient protecion against surveillance by the public authorities of the data transferred to the country. He aims at the revelations by Edward Snowden in 2013 concerning the activities of the U.S. intelligence services and in particular the National Security Agency (''NSA'').


The Irish authority rejected the complaint on the ground that in a decision of the European Commission (''EC'') in 2000 considered that, under the 'safe harbour' scheme, the U.S. ensures an adequate level of protection of the personal data transferred. Scherms brought the case before the High Court of Ireland, that referred the case to the ECJ.

Legal framework
Protection of personal data is not internationally regulated; every country applies its own privacy rules. Within the European Union these rules are harmonised, which means that the level of protection is equal throughout the whole EU. In order to transfer or process personal data from the EU to countries outside the EU, other rules apply.


Based on the European Privacy Directive personal data can only be transferred to a country outside of the EU when that country ensures an adequate level of protection of that data. In practice it means that it provides a protection level that is more or less consistent with the level of protection provided in the EU. The European Commission may find that a third country ensures an adequate level of protection. In that case the EU member states must allow the transfer of EU personal data to that country.


In addition, that same directive decides that each Member State is to designate one or more public authorities responsible for monitoring the application within its territory of the national provisions adopted on the basis of the directive. In the Netherlands this is the Dutch Data Protection Authority (''CBP'').


Fifteen years ago it was agreed with the U.S. within the framework of the abovementioned provisions that American organisations could obtain data of EU citizens when they promised they would treat the data consistent with the European privacy rules. This agreement is known as the Safe Harbour Decision.


Judgment of the ECJ
Now the court has ruled that such an agreement cannot eliminate or even reduce the powers available to the national supervisory authorities. In response of a complaint about processing personal data by a third country national supervisory authorities must be able to examine, with complete independence, whether the transfer of data to third countries outside the EU complies with the requirements laid down by the Privacy Directive.


The Court rules that the data of Europeans is not effectively protected in the U.S. because in certain circumstances American organisations are obliged to ignore the data protection legislation. The revelations of Snowden about the practices of the NSA have shown that American authorities do not have to comply with these rules and have access on a generalised basis to the content of electronic communication. Furthermore, the Court stresses that the American Safe Harbour scheme does not provide an effective judicial protection. Applying these provisions on the transfer of European personal data compromises the essence of the fundamental right of respect for private life of Europeans and their fundamental right to effective judicial protection. Therefore the European Court invalidated the Safe Harbour Decision.


The Irish supervisory authority is required to examine Mr Schrem's complaint with all due diligence and, at the conclusion of its investigation, is to decide whether there is offered an adequate level of protection with the transfer of the data of Facebook's European subscribers to the U.S. Given the considerations of the European Court it is likely the answer will be negative. In that case transferring the data from the EU to the U.S. should be suspended, but only to the extent it is based on the provisions of the Safe Harbour Agreement.


Important signal
The judgment is an important signal for the European Commission. After all, it is the third landmark judgment of the court regarding privacy protection in a short period of time. In this connection reference can be made to the Google Spain/Costeja judgment about the 'right to be forgotten' and the judgment of Digital Rights Ireland e.a./Seitlinger about the inoperability of the data retention directive of consumer data from telecommunication providers for law enforcement. In all these judgments the European Court distinctively seems to prioritise the protection of personal data.


EU Commissioner Frans Timmermans has indicated that the traffic of data between the EU and the U.S. should continue for the time being. According to him there are other legal alternatives within the European legislation that enables the exchange of data.


The ruling does not directly bring data traffic to the U.S. to an end. However, the fundamental legal basis for this - the Safe Harbour Agreement - became redundant. When one wishes to transfer data and/or store data in the U.S. - for instance in the cloud of an American company - they will need to find another legal basis. Examples include the possibility of obtaining explicit permission from users or handling so-called EU Model Clauses. These are model contracts between organisations and supervisory authorities such as the CBP by which these organisations are required to provide an adequate level of protection. When such a contract is signed unaltered, this may constitute as a basis for transferring data to countries outside the EU such as the U.S. 


Practice will have to decide which is the most effective legal basis for data transferring to countries outside the EU, in particular the U.S.