Zum Inhalt

DE | EN

EUGH.jpg
Image: EUGH.jpg

ECJ: No "safe harbor" USA

Rights & Rules

Data protection not ensured in the US

The European Court of Justice (ECJ) has decided that the USA are no "safe harbor" for personal data of EU citizen. With this ruling, the ECJ has withdrawn a decision of the EU Commission from 2000. It could have far-reaching consequences for internet companies.

Facebook as trigger

Background for the ECJ's decision was a complaint of the Austrian Maximillian Schrems against Facebook. The Irish subsidiary of Facebook transfers data of European users to servers located in the US, where the data is also further processed. After the revelations by the American whistleblower Edward Snowden, Schrems started to fight against the transfer of his personal data to the US.

The Irish authorities refused his complaint at first, based on the above mentioned decision of the EU Commission. In July 2000, the Commission had decided that the US applied to the "Safe Harbor" scheme. Personal data of EU citizen can only be transferred to third countries if these guarantee an adequate level of protection, which has to be verified by the Commission and national data protection authorities of the Member States.

The Irish High Court thereafter asked the ECJ whether national authorities should still handle a complaint when the Commission already decided upon the respective country - like in the case of Maximillian Schrems against Facebook.

ECJ has the final say

The ECJ has now decided that the national data protection authority has to handle every complaint, regardless of former decisions by the EU Commission. The Commission cannot limit the competences of those authorities. If a national authority comes to the conclusion that no adequate protection level exists, it has to forward the complaint to national courts which then again have to turn to the ECJ. Only the ECJ can declare that a decision of the Commission is invalid - as it did now concerning the US.

According to the ECJ, the United States do not provide adequate protection for the data of EU citizens. The Court has based its ruling on several aspects:

  1. US authorities
    US companies can voluntarily follow the Safe Harbor scheme. If they do so, they are obliged to protect personal data transferred to them to the same extent as European companies - they have to follow European regulations.
    However, these provisions do not apply to US authorities. Investigations that are undertaken with regards to national security, public interest or law enforcement requirements override the Safe Harbor scheme. When a US company is asked by a public authority to transmit personal data of an EU citizen, it has to follow this request, even if this means that it can no longer protect the respective data.
     
  2. Unlimited access
    Furthermore, the ECJ states that the access of US public authorities to personal data is neither limited nor restricted by any legal regulations whatsoever. The public authorities tend to process the data far beyond what is necessary. EU citizens have no possibility to pursue legal remedies in order to have access to personal data relating to them, or to obtain the correction or erasure of such data. According to the ECJ, this is incompatible with the European protection measures.
     
  3. Disproportion
    In its press release regarding the ruling, the ECJ states that a protection level according to European standards is not provided when legislation "authorises, on a generalised basis, storage of all the personal data of all the persons whose data is transferred from the EU to the United States without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down for determining the limits of the access of the public authorities to the data and of its subsequent use." The ECJ thinks that the entitlement of US public authorities to access all electronic communication is a violation of the basic right to privacy.

These three aspects, combined with the above mentioned fact that the Commission's decision of 2000 limits the competences of national data protection authorities, have led to the ECJ's ruling. The US are therefore no longer a "safe harbor" for the personal data of EU citizens.

Consequences


The Irish data protection authorities will now have to investigate the complaint of Maximillian Schrems. Facebook claims to already act according to EU regulations and therefore won't have any consequences following the ruling.

The ruling could nevertheless have effects to other US companies that direct their business activities towards Europe. Internet giants like Google will have to investigate their handling of data of European citizens.

Related links

ECJ press release
http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf

Share this post

Facebook Twitter Drucken E-Mail
Teaser-Image: EUGH.jpg

This could also be of interest:

Online gambling in Austria

Online gambling in Austria

Many affected gamblers do not even know that they can reclaim gambling debts they have incurred at foreign casinos or online casinos. These foreign companies do not have a licence in Austria. Our article explains the background and possibilities.

👷 Tips for service contracts abroad in the EU

👷 Tips for service contracts abroad in the EU

In our globalised everyday life, contracting foreign companies is no longer unusual and the freedom to provide services is a fundamental right in the EU. We explain which rules and obligations apply and what you should look out for before placing orders with foreign companies.

Brexit - travellers and consumers

Brexit - travellers and consumers

In the referendum on 23 June 2016, 52 percent of Britons voted in favour of Brexit. On 24 December, the EU and the UK concluded a far-reaching trade and partnership agreement. What are the consequences for consumers in Europe? Here are some hints about the changes from the perspective of travellers and consumers

Sozialministerium
VKI
EU
ECC