Publications

The CJEU has declared that the European system for data transfer to the USA based on the so-called “Safe Harbor” scheme is invalid. The controversial  Judgment, delivered on 6 October by the Court of Justice of the European Union on 6 October, invalidates Decision 2000/520, on the “Safe Harbor” certification, which authorized personal data transfer from the European Union to companies in the United States, provided that they guaranteed an adequate level of protection and respected the privacy regulations of Member States. The Court held that the principles on which Safe Harbor is based are only applicable to business corporations and therefore not to state agencies or US government bodies which could interfere with the privacy rights of European citizens based on “national security, public interest and law enforcement requirements of the United States” without there being effective state regulations or legal mechanisms in place to limit that type of interference.

The Court states in this regard that current personal data protection policies in the United States regarding the general interest and national security, and the lack of rules intended to limit any such interference, or failure of effective legal protection in terms of limitation, differentiation and objective criteria governing the interference by public authorities in the prívate affairs of European citizens, fail to comply with the principles of data protection implemented in the Old Continent as a result of Directive 95/46, which imposes clear and precise rules on how to protect citizens from abusive, unjustified and disproportionate interference by public authorities in  their private life.

Until this Judgment, the Spanish Data Protection Agency accepted mere notification by the data controller (without any authorization requirement) of data transfer to the USA, provided that the company importing the data adhered to the Safe Harbor scheme.  As a result of the Judgment, there are now a number of issues left hanging, such as the measures that national data protection authorities should now take in respect of international data transfer to the United States already authorized, and with regard to those data transfers that may be requested in future. In particular, the Spanish Data protection Agency refers to the decision on its web site in this press release, indicating that it will proceed to establish criteria with European regulators with a view to standardizing practical application of criteria laid down in the ruling. Internal sources at the Agency have advised that until such time that  an internal and  common position is  reached, aligning the various European national authorities, and until the course of action has been defined, data controllers should not make any movements modifying or notifying transfers to the United States before the national regulator.

The best advice on how to proceed during this legal “limbo”, despite the uncertain future of the current scenario, and until   a course of action has been set by the various European agencies, would be for data controllers to address this change proactively. Until the route map has been drawn up, it will be difficult to progress towards any solutions likely to reduce risks and contain the impact of the practical application of the judgment. Such measures could begin by drawing up detailed lists of all the international transfers made, meticulously reviewing data assignment agreements with US businesses, checking that they have taken into account Standard European Clauses, and ensuring that the US importer fulfils the requirements laid down by European Law.