European Court of Justice - EU US Safe Harbour ruling declared invalid
The European Court of Justice has ruled today that the EU Safe Harbor agreement regarding adequacy of data privacy rules as compared to EU rules is invalid.
The Court reasoned that the Safe Harbor principles only bind the United States undertakings which adhere to it, but that the United States public authorities are not themselves subject to it. “Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the Commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.”
The Court added that the ruling meant Ireland's regulator now needed to decide whether Facebook's EU-to-US transfers should be suspended.
Companies may therefore forthwith not rely on the self-certification of US companies under the US Safe Harbor framework constituting an adequate level of protection and have to ensure such protection by other means, e.g. EU Model Clause agreements, for all data transfers to the US. Naturally, such a change will not be possible within a day or two for existing data transfer agreements. However, setting up new agreements for transfer of data to the US, companies are well advised to use EU Model Clauses and request that their counterparts provide networks and servers within the EU.
The decision of the Court also affects Switzerland and Swiss companies transferring their data under the US - Swiss Safe Harbor agreement to the US. While the US - Swiss agreement is not invalidated by the decision of the Court per se, it is questionable whether Swiss companies may continue to rely on its application and its providing adequate data protection for their data in the US. Swiss companies setting up new data transfers to the US or renegotiating existing ones will in the meantime be well advised to base new data transfers on EU Model Clauses agreements rather than continuing to rely on the US - Swiss Safe Harbor framework.