Regulatory case law, October 2015: Safe Harbour inadequate to protect privacy

Latest EU regulatory case law1

As expected based on the earlier Advocate General opinion, the ECJ ruled that EU-US Safe Harbour agreement cannot be deemed to provide an adequate level of protection due to mass surveillance measures of the US security agencies.

In particular, the Court ruled invalid European Commission 2000/520 decision giving a blanket permission for export of personal data to the US companies who have self-certified themselves under the EU-US Safe Harbour agreement.

Said Decision laid down that ‘national security, public interest, or law enforcement requirements’ had primacy over the Safe Harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard the same Safe Harbour principles without limitation where they conflict with those requirements and therefore prove incompatible with them. Moreover, the Decision did not contain any finding regarding the existence, in the United States, of rules adopted by the same country intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States. This included  the lack of procedures that could be applied in disputes relating to the legality of interference with fundamental rights that resulted from measures originating from the State such as national security (as distinguished from pure commercial dispute resolution by the US Federal Trade Commission and private dispute resolution mechanisms).

The Court further ruled that European national data protection supervisory authorities are obliged to examine the claims of breach by means of overseas transfers with all due diligence even if the transfer has been covered by a Safe Harbour-style European Commission decision.

Is your business involved in processing personal information and want to know how the Safe Harbor ECJ decision affects you? Feel free to refer to Aphaia’s privacy and data protection consultancy service.

Bostjan Makarovic

Bostjan Makarovic

Bostjan Makarovic is Aphaia's Founder. In addition to 14 years of industry experience, he holds Queen Mary, University of London PhD in legal regulation of NGN, London School of Economics and Political Science MSc in Environmental Policy and Regulation, and is IAPP-certified international privacy professional (CIPP/E).
Bostjan Makarovic

Leave a Reply

Your email address will not be published. Required fields are marked *