On October 6th 2015, the European Court of Justice invalidated the 2000 decision of the Commission providing for what is commonly known as the Safe Harbour scheme.
The Court followed a two step analysis in order to demonstrate the incompatibility of the scheme and the privacy protection rules applicable in the EU.
First of all, the Court held that a decision from the Commission could not prevent national supervisory authorities from dealing with a claim regarding personal data protection. This means that even when the Safe Harbour decision was valid, national authorities should have been able to examine independently whether the transfer of personal data to a third country complies with requirements of the Data Protection Directive. The Irish authorities should have proceeded to investigating the claim notwithstanding the Commission’s decision instating the Safe Harbour scheme.
Thus, the Court concluded that the Commission did not have the competence to restrict the powers of national supervisory authorities, in a way which prevented them from analysing a claim calling into question the compatibility of the decision with the protection of privacy and other fundamental rights.
Secondly, the Court specified that it was the only competent authority for invalidating a decision of the Commission. To revoke the Safe Harbour decision, the Court proceeded to demonstrate that the United States did not ensure a level of protection of fundamental rights essentially equivalent to that guaranteed within the European Union under the Data Protection Directive.
Indeed, the Safe Harbour scheme was applicable to the United States but not to its public authorities. This means that national security, public interest and law enforcement requirements prevailed over the scheme, allowing the United States to disregard de Safe Harbour protective rules when in conflict with national requirements.
Two Commission communications of November 2013 detailed examples where the United States public authorities disregarded the data protection rules for national security reasons.
U.S legislation also allows public authorities to have access to electronic communications. The Court of Justice considered this as ‘compromising the essence of the fundamental right to respect for private life’.
Adding to this, U.S legislation does not provide remedies for individuals who wish to have access to the personal data concerning them which ‘compromises the essence of the fundamental right to effective judicial protection’.
To conclude, given the previous assertions, the Safe Harbour scheme could no longer fulfill its purpose of providing a safe data transfer towards the USA, seeing as the multiple means of disregarding the scheme meant that the protective rules of the Directive would not be applied in many cases.
The Irish supervisory authority is therefore held to examine a claim alleging an infringement of the Directive measures when it comes to data transfers from a European subsidiary firm to its headquarters based in a third country.
In the meantime, the European Commission and the American authorities have said that data transfers will be able to continue on the basis of a new agreement. European citizens will also be able to file complaints to national supervisory authorities in order to insure transfers to third countries comply with the Data Protection Directive.
Manon Faucher
Comments are closed.