ECJ: No "safe harbor" USA
The European Court of Justice (ECJ) has decided that the USA are no "safe harbor" for personal data of EU citizen. With this ruling, the ECJ has withdrawn a decision of the EU Commission from 2000. It could have far-reaching consequences for internet companies.
Facebook as trigger
Background for the ECJ's decision was a complaint of the Austrian Maximillian Schrems against Facebook. The Irish subsidiary of Facebook transfers data of European users to servers located in the US, where the data is also further processed. After the revelations by the American whistleblower Edward Snowden, Schrems started to fight against the transfer of his personal data to the US.
The Irish authorities refused his complaint at first, based on the above mentioned decision of the EU Commission. In July 2000, the Commission had decided that the US applied to the "Safe Harbor" scheme. Personal data of EU citizen can only be transferred to third countries if these guarantee an adequate level of protection, which has to be verified by the Commission and national data protection authorities of the Member States.
The Irish High Court thereafter asked the ECJ whether national authorities should still handle a complaint when the Commission already decided upon the respective country - like in the case of Maximillian Schrems against Facebook.
ECJ has the final say
The ECJ has now decided that the national data protection authority has to handle every complaint, regardless of former decisions by the EU Commission. The Commission cannot limit the competences of those authorities. If a national authority comes to the conclusion that no adequate protection level exists, it has to forward the complaint to national courts which then again have to turn to the ECJ. Only the ECJ can declare that a decision of the Commission is invalid - as it did now concerning the US.
According to the ECJ, the United States do not provide adequate protection for the data of EU citizens. The Court has based its ruling on several aspects:
- US authorities
US companies can voluntarily follow the Safe Harbor scheme. If they do so, they are obliged to protect personal data transferred to them to the same extent as European companies - they have to follow European regulations.
However, these provisions do not apply to US authorities. Investigations that are undertaken with regards to national security, public interest or law enforcement requirements override the Safe Harbor scheme. When a US company is asked by a public authority to transmit personal data of an EU citizen, it has to follow this request, even if this means that it can no longer protect the respective data.
- Unlimited access
Furthermore, the ECJ states that the access of US public authorities to personal data is neither limited nor restricted by any legal regulations whatsoever. The public authorities tend to process the data far beyond what is necessary. EU citizens have no possibility to pursue legal remedies in order to have access to personal data relating to them, or to obtain the correction or erasure of such data. According to the ECJ, this is incompatible with the European protection measures.
In its press release regarding the ruling, the ECJ states that a protection level according to European standards is not provided when legislation "authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use." The ECJ thinks that the entitlement of US public authorities to access all electronic communication is a violation of the basic right to privacy.
These three aspects, combined with the above mentioned fact that the Commission's decision of 2000 limits the competences of national data protection authorities, have led to the ECJ's ruling. The US are therefore no longer a "safe harbor" for the personal data of EU citizens.
The Irish data protection authorities will now have to investigate the complaint of Maximillian Schrems. Facebook claims to already act according to EU regulations and therefore won't have any consequences following the ruling.
The ruling could nevertheless have effects to other US companies that direct their business activities towards Europe. Internet giants like Google will have to investigate their handling of data of European citizens.