Close
  • Français
  • English

2015/10/16Safe Harbor: what consequences? [by General Watin-Augouard]

The Commission’s decision of the 26th of July 2000, stating that the United States comply with the « Security Sphere » is revoked. The Irish Control Authority is tasked with determining whether the suspension of European Facebook users’ data transfers to the United States is required, owing to the shortcomings of this country in regards to adequate protection of private data.

The Court referral

A dispute examined by the High Court of Ireland was placed before the Court. It formulated a prejudicial question meant to figure out whether the Commission’s decision prevents a national control authority to investigate a complaint calling out a national third party on its inadequate security measures and, if necessary, to suspend data transfers. Following the “PRISM” case, Maximilian Schrems, an Austrian citizen, filed a complaint regarding the transfer of his personal data from Facebook’s Irish subsidiary on to the company’s servers in the United States. The Irish Data Protection Authority took no action in response to this complaint, basing its decision upon the Commission’s n°2000/520 ruling of the 26th of July 2000, stating that the United States do actually comply with the principles of the “Security Sphere”, even though personal data protection is not guaranteed along the same rules by American law.

Ruling pronouncement

According to prosecuting attorney Yves Bot[1], “the existence of a Commission ruling stating that a given country provides an adequate security level in regards to transferred personal data has by no means the power to annihilate or even undermine the powers of national regulatory authorities on the basis of the personal data handling directive[2]”. Regarding the United States, he adds that “the access to transferred data that American intelligence services benefit from is constituent of an intrusion in the right to the respect of privacy”.

The Court of Justice of the European Union endorses the prosecuting attorney’s conclusions. In regards to jurisdiction, the commission did not find that the strength of the security measures planned by American law was equivalent to the one guaranteed by the European Union owing to the directive linked to the Chart. Notably, the obligations related to national security, public interest, and the compliance to the United States’ laws overwrite the “Security Sphere” regime, forcing American private corporations to push aside said laws whenever required. The court notes the fact that the legal corpus is not restricted to bare requirements as soon as it allows the entitled authority to get access to any confidential and personal data transferred from the European Union to United States without any kind of restriction or recourse. Consequently, since the United States authorities do not observe the Safe harbor provisions, the court abrogates the decision taken in July 26, 2000.

The court’s ruling constitutes additional fallout of Edward Snowden’s revelations. An estimated 4000 American companies operating within the European Union are concerned by the repercussions. If on one hand, the defending association greets this decision, on the other, economic actors, especially the small and medium enterprises, express their concern. This is explained by them not owning internal legal services strong enough to build contractual clauses or company rules designed to handle data transfer beyond the “Safe Harbor” .

The “Maximilian Schrems” court’s judgment is expected to generate a new round of negotiation concerning the “Safe Harbor” terms and to retain European citizens’ private data within the European Union borders.  It strengthens the importance of independent structures, free from state intervention, such as the CNIL, which should see its powers scope enlarged by the new law “Cyber Republic” promoted by Axelle Lemaire. This ruling should also open the path to finalize a European regulation dedicated to private data protection.

References:

[1] curia.europa.eu, conclusions of  the prosecuting attorney in the C-362/14 Maximilan Schrems/Data Protection Commissioner case.

[2] Directive 95/46/CE of the European Parliament and of the Council of the 24th october 1995 pertaining to the protection of natural persons in regards to personal data handling and free movement of said data.