Safe Harbor in Choppy Waters

EU Court of Justice.

Why a Safe Harbor? (briefly)

The EU recognizes the right to privacy with respect to the processing of personal data as a fundamental right and freedom. Directive 95/46/EC. This guarantees EU citizens with the rights to their personal data, including the rights to have the collection of their personal data limited to the minimum extent required, that the data is correct and accurate, and to access their stored data. The US does not have a comparable overriding principle about personal data privacy. (The Fourth Amendment regulates government search and various state laws regulate other privacy concerns, but not with the same general principles that we apply to the freedoms of speech or religion guaranteed by the First Amendment.)

Because privacy is a fundamental right, controllers of personal data in the EU can not transfer personal data unless the individual personal data will be treated with an adequate level of protection. Consequently, transfers of personal data that do not provide an adequate level of protection for personal data are prohibited.

Articles 25 and 26 of the Directive set forth the following:

Article 25. Principles

  1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
  2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
  3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.
  4. Where the Commission finds, under the procedure provided for in Article 31(2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.
  5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.
  6. The Commission may find, in accordance with the procedure referred to in Article 31(2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.

Article 26. Derogations

  1. By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2) may take place on condition that:
    1. the data subject has given his consent unambiguously to the proposed transfer; or
    2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject’s request; or
    3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
    4. the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
    5. the transfer is necessary in order to protect the vital interests of the data subject; or
    6. the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.
  2. Without prejudice to paragraph 1, a Member State may authorise a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25(2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.
  3. The Member State shall inform the Commission and the other Member States of the authorisations it grants pursuant to paragraph 2.

While US domestic law and international commitments are not sufficient to protect the personal data of EU citizens, the European Commission had ruled that the transfer of personal data is permissible to companies that participate in the Department of Commerce Safe Harbor program. Participants in the Safe Harbor certify that their collection and use of personal data adheres to the standards required by the Directive. The Commission found this acceptable.

What happened to the Safe Harbor?
Max Schrems, an Austrian activist, lawyer, and Facebook user, filed a complaint with the Irish data protection authority to block the transfer of his personal information to the US. (Like many companies who take advantage of Ireland’s favorable tax laws, Facebook contracts with its users in the EU through its Irish subsidiary.) Schrems alleged that the transfer was unlawful, because the law and practice in force in the US did not ensure adequate protection of the personal data against surveillance activities by the public authorities, in particular the bulk collection practices of the National Security Agency.

The Irish Data Protection Commissioner ruled that because the European Commission found the Safe Harbor to provide an adequate level of protection, the transfer was lawful. Schemers appealed to the Irish High Court. In Schrems v. Data Protection Commissioner ([2014] IEHC 310), the Irish High Court ruled that under Irish privacy law, “a significant issue would arise as to whether the United States ‘ensures an adequate level of protection for the privacy and the fundamental rights and freedoms’ of data subjects, such as would permit data transfers to that country.” But, since Irish law has been pre-empted by EU law, the Commissioner must decide whether the EU Safe Harbor Regime remains valid and controlling, or whether individual data controllers have the authority to review transfers in light of the revelations about US data collection activities.

Today, the EU Court of Justice ruled in Schrems v. Data Protection Commissioner (C-362/14, 6 October 2015) that national data protection authorities have the authority to investigate whether the laws and practices of a country to where personal data is transferred provide an adequate level of protection for individual citizens. But the national supervisory authority does not have the authority to find an EU ruling invalid.

The Court finds a number of ways that the Safe Harbor is limited to misuse by the Safe Harbor participant, but fails to protect personal data from disclosure to any US Federal or state government. Because the safe harbor principles are applicable solely to self-certified United States organizations receiving personal data from the European Union, United States public authorities are not required to comply with them. Where US law imposes a conflicting obligation, US organizations whether in the Safe Harbor or not must still comply with the law.

While the Commission ruled that the Safe Harbor provides an adequate level of protection, the Court finds that the Commission did not properly establish that the Safe Harbor does in fact provide this level of protection:

“However, the Commission did not state, in Decision 2000/520, that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments. …[It] does not contain any finding regarding the existence, in the United States, of rules adopted by the State intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States, interference which the State entities of that country would be authorised to engage in when they pursue legitimate objectives, such as national security. Consequently, without there being any need to examine the content of the safe harbour principles, it is to be concluded that Article 1 of Decision 2000/520 fails to comply with the requirements laid down in Article 25(6) of Directive 95/46, read in the light of the Charter, and that it is accordingly invalid.”

The Court finds the Commission decision that considers the Safe Harbor to provide an adequate level of protection to be invalid.

What next for US Safe Harbor Companies?


While the Irish Data Protection Commissioner and High Court have found that data transfers to the US do not provide an adequate level of protection, they have yet to rule Facebook’s data practices to be unlawful. Yet. Expect the other national data protection authorities to receive complaints about US company data collection practices.

In addition to Safe Harbor participation, other options for data transfers outside of the EU exist, including model contractual clauses for EU data controllers transferring data and adopting Binding Corporate Rules for handling data.

See Also
CJEU Press Release The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid
“In today’s judgment, the Court of Justice holds that the existence of a Commission decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive. The Court stresses in this regard the right, guaranteed by the Charter, to the protection of personal data and the task with which the national supervisory authorities are entrusted under the Charter.”

Mark Scott, New York Times, Data Transfer Pact Between U.S. and Europe Is Ruled Invalid “The ruling, by the European Court of Justice, could make it more difficult for global technology giants — including the likes of Amazon and Apple, Google and Facebook — to collect and mine online information from their millions of users in the 28-member European Union.”

EFF, No Safe Harbor: How NSA Spying Undermined U.S. Tech and Europeans’ Privacy “The spread of knowledge about the NSA’s surveillance programs has shaken the trust of customers in U.S. Internet companies like Facebook, Google, and Apple: especially non-U.S. customers who have discovered how weak the legal protections over their data is under U.S. law. It should come as no surprise, then, that the European Court of Justice (CJEU) has decided that United States companies can no longer be automatically trusted with the personal data of Europeans.”

Sebastian Anthony, Ars Technica, Europe’s highest court strikes down Safe Harbor data sharing between EU, US “It’s important to note that the CJEU’s ruling (PDF) will not immediately prevent US companies from sending data back to the motherland. Rather, the courts in each EU member state can now rule that the Safe Harbour agreement is illegal in their country. It is is very unlikely, however, that a national court would countermand the CJEU’s ruling in this case.”

Photo credit: European Court of Justice, EQRoy /

1The Directive defines ‘personal data’ as any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

‘processing of personal data’ means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

Andrew Raff @andrewraff