EU-US data flows suffered a major blow last week as the EU Court of Justice declared the Commission´s Safe Harbor Decision invalid. In this decision, commonly known as the “Safe Harbor deal”, the Commission declared the United States a country where the EU citizens´ personal data have the same level of protection as inside the EU – this regime is allowed under EU data protection rules and details were negotiated with the US authorities (hence “deal”). Therefore, if US companies declared that they were operating under the Safe Harbor regime (meaning sticking to some data protection standards), they were authorized to process EU citizens´ data in the US, practically without the legal oversight of EU data protection authorities. This point was brought before court in Ireland in a case of an Austrian citizen against Facebook (Facebook has its EU subsidiary in Ireland). The citizen asked the Irish data protection authority to investigate, whether the so-called Snowden revelations about US surveillance programs do not endanger his data privacy processed in the US under the Safe Harbor. The Irish data protection authority declared that it was not allowed to investigate because of the Commission decision. The court asked the EU court to clarify. The EU surprisingly strongly-worded court´s decision, largely expected after the recent Advocate-General´s opinion of similar wording, denounces the US for not respecting fundamental rights of EU citizens – their data processed in the US may be made available to national security authorities under the surveillance schemes published by Snowden. It also points out that the Safe Harbor regime effectively strips data protection authorities in the EU of their competence to protect EU citizens´ data. Therefore, the Court of Justice declared the Safe Harbor Decision invalid.
Unusually, the Court of Justice did not provide any transitional measures. The Decision is declared illegal since its publication in 2000, and therefore also any proceedings made under it are to be regarded as illegal – including all data transfers made under its auspices. Also, there is no grace period for the Commission to negotiate a new deal (which the Commission is trying to do since the Snowden revelations in 2013 – until now unsuccessfully). This means, that the everyday EU-US flow of data needs to find a new legal basis. According to legal experts, EU rules provide enough possibilities, though each one is more complicated than the Safe Harbor (explicitly-stated approval by EU citizen, bilateral data processing contracts, or intra-company binding rules). EU data protection agencies find themselves more empowered, too. They will be able to investigate into US firms´ data protection records.
From a business side of view, this ruling could be a boost to EU cloud services. Since US companies will not be allowed to transfer EU citizens´ data to the US for processing so easily, a way out could be building data centers located in the EU. In any case, the Commission is under huge pressure now – not only to answer for the now invalidated Safe Harbor, but also to justify the negotiation of a new one. Work is also ongoing on new EU data protection rules.
26th July 2019