As expected based on the earlier Advocate General opinion, the ECJ ruled that EU-US Safe Harbour agreement cannot be deemed to provide an adequate level of protection due to mass surveillance measures of the US security agencies.
In particular, the Court ruled invalid European Commission 2000/520 decision giving a blanket permission for export of personal data to the US companies who have self-certified themselves under the EU-US Safe Harbour agreement.
Said Decision laid down that ‘national security, public interest, or law enforcement requirements’ had primacy over the Safe Harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard the same Safe Harbour principles without limitation where they conflict with those requirements and therefore prove incompatible with them. Moreover, the Decision did not contain any finding regarding the existence, in the United States, of rules adopted by the same country intended to limit any interference with the fundamental rights of the persons whose data is transferred from the European Union to the United States. This included the lack of procedures that could be applied in disputes relating to the legality of interference with fundamental rights that resulted from measures originating from the State such as national security (as distinguished from pure commercial dispute resolution by the US Federal Trade Commission and private dispute resolution mechanisms).
The Court further ruled that European national data protection supervisory authorities are obliged to examine the claims of breach by means of overseas transfers with all due diligence even if the transfer has been covered by a Safe Harbour-style European Commission decision.
Is your business involved in processing personal information and want to know how the Safe Harbor ECJ decision affects you? Feel free to refer to Aphaia’s privacy and data protection consultancy service.
Latest posts by Bostjan Makarovic (see all)
- ‘GDPR practitioner’ ? I prefer ‘privacy professional’ instead - July 18, 2017
- Why appointing Data Protection Officer is not the first step in GDPR compliance - July 6, 2017
- GDPR adaptation – what does it comprise? - June 15, 2017