„Safe-Harbor“-decision of the European Court of Justice
Transfer of Personal Data from Europe to Companies in the USA restricted
In its judgment of 6 October 2015 (ref. C-362/14), the European Court of Justice (ECJ) declared what is known as the “safe harbor” decision of the EU Commission to be invalid. This means that as from this date the transfer of personal data from Europe to companies in the USA can no longer be based on the safe harbor decision.
Many companies will thus lose the legal basis chosen by them to date for the transfer of personal data to service providers and companies in the USA. In particular, it will no longer be possible for European and US affiliates to transfer personal data between them on the basis of “safe harbor”.
Safe harbor decision between the EU Commission and the USA
According to the Data Protection Directive (95/46/EC) applicable within the European Union, personal data may only be transferred to other states if the information is adequately protected there. This critically depends on a level of data protection equivalent to that of the European Union existing in the state to which the personal data are transferred. Whether other states are in a position to guarantee this level of data protection is assessed by the European Commission. This was the background against which, in the year 2000, the EU Commission declared in its safe harbor decision that the USA was a state with the same level of data protection.
Based on the safe harbor decision, therefore, personal data of customers or internet users, as well as employees, can be transferred from states within the EU to the USA and stored and processed there without any further requirements (such as the approval of the person concerned). The only requirement is that the US companies undertake to observe the “Safe Harbor Principles” (a commitment to comply with the EU data protection standards) and register on a “safe harbor list” held by the US Trade Department.
Decision of the ECJ of 6 October 2015
In its judgment of 6 October 2015, however, the European Court of Justice (ECJ) has now found that the same level of data protection does not exist in the USA and that personal data are not adequately protected in the USA. In light of this, the ECJ has declared the safe harbor decision of the EU Commission to be invalid and hence withdrawn the legal basis for the transfer of personal data to the USA on the basis of the safe harbor decision.
Effects in practice (in particular with regard to personal date of employees)
The judgment of the ECJ is of huge practical relevance not only in respect of the data of customers or internet users, but also with regard to the personal data of employees. This is because personal data of employees are often transferred between European and US affiliates – particularly within the same group – for the purposes of storage and processing.
Where these data were previously transferred only on the basis of the safe harbor decision, other legal options will now be required. If these other options do not offer the level of data protection existing within the EU, however, they likewise run the risk of being declared invalid.
At present the only legally watertight way of transferring personal data to the USA is therefore to obtain the express consent of the relevant person to the transfer of their data. The legal validity of the consent is, however, dependent in turn on the relevant person being informed of the precise use for which their personal data are intended and of the extent of the data processing and storage before they declare their consent.