The judgement rendered by the European Court of Justice on 6 October means that all the past advices given on the transfer of personal data from Europe to the United States, which were justified solely on the basis of an American organisation’s adherence to the "Safe Harbour" principles, should be revised.
Indeed, this justification is no longer acceptable. It is now important to consider other possible alternatives regarding the transfer of personal data to third countries.
The decision of the European Commission (‘Commission’) of 26 July 2000 (‘Safe Harbour Decision’) provided that personal data was adequately protected by American organisations that adhered to the "Safe Harbour Principles" and that such data could be transferred to such organisations from Europe.
This Decision had been adopted pursuant to the Commission’s authority under Directive 95/46/CE of 24 October 1995 (‘Privacy Directive’), to determine that a third country ensures an adequate level of protection by means of its domestic law or the international commitments it has entered into. This system therefore made it possible to circumvent the prohibition contained in the Privacy Directive which prohibits the transfer of personal data to third countries when they do not offer an adequate level of protection.
On 6 October, the European Court of Justice (‘ECJ’) decided, however, to invalidate this Decision, upsetting a practice that had been followed for the last fifteen years.
This judgement was rendered following a request for a preliminary ruling from the High Court of Ireland (‘High Court’). An Austrian student had complained that Facebook stored his data in the United States, a country that, according to him, did not offer a sufficient level of protection against the surveillance by the public authorities of transferred personal data. A first complaint had been made to the Irish data protection authority, which had rejected the complaint, considering that the organisation’s adherence to the Safe Harbour principles and the Safe Harbour Decision prevented it from exploring the issue further.
The High Court therefore referred the issue to the ECJ in order to determine whether the Safe Harbour Decision prevents a national supervisory authority from investigating a complaint from a person who contends that the transfer is illegal because of non-compliance by the third country with the adequate level of protection that it must ensure with regard to the personal data transferred.
The reply of the ECJ is that, even in the presence of a Commission decision, the national supervisory authorities must be able to examine with complete independence whether the transfer of data to a third country respects the requirements imposed by the Privacy Directive.
The ECJ then examined the validity of the Safe Harbour Decision. It noted that the Safe Harbour principles are solely applicable to American organisations that voluntarily adhere to them and that the United States public authorities are not required to comply with these principles. The American authorities are therefore free to require that the organisations that have adhered to the Safe Harbour principles deviate from them, enabling considerable interference by these public authorities in the fundamental right of persons to respect for their privacy.
By omitting to set limits to the generalised access of the public authorities to the transferred data in the Safe Harbour Decision, the ECJ considers that this Decision is illegal and that adherence to such principles is not sufficient to allow the transfer of personal data from the European Union to the United States.
