In its judgment of October 6, 2015 (Case C-362/14) the Court of Justice of the European Union (“CJEU”) held that transfers of personal data of European citizens to the United States made under the so-called Safe Harbor scheme are subject to significant risks, and declared the corresponding decision of the European Commission to be invalid. As a consequence, EU entities of U.S. companies so far relying on Safe Harbor will need to revise their practice of submitting personal data to the U.S. to comply with EU data protection law.
The background to this CJEU ruling was a complaint lodged by European Facebook user Maximilian Schrems with the Irish data protection authority. Facebook Ireland, the company’s European headquarters, transfers the data of its subscribers to the servers of its parental company in the U.S. Mr. Schrems argued that the law and practices of the United States offered no real protection against U.S. surveillance of his data. The Irish authority rejected the complaint relying on the “Safe Harbor” decision of the European Commission of July 26, 2000 (Decision 2000/520/EC). Safe Harbor is a U.S. government framework containing a set of principles on the treatment of sensitive personal data of EU citizens. According to the Commission’s decision, it is assumed that an adequate level of data protection is guaranteed where U.S. companies agree to comply with these principles. In the Irish authority’s opinion, national authorities should thus be prevented from launching investigations into data transfers covered by the Safe Harbor scheme. The case was brought before the High Court of Ireland, which further referred it to the CJEU.