CJEU declares EU-US Safe Harbour scheme invalid

Maximillian Schrems, an Austrian citizen, lodged a complaint with the Irish data protection authority in relation to the transfer of his personal data by Facebook to the US under the Safe Harbour scheme, claiming that the US law and practice do not offer sufficient protection against surveillance by the public authorities of the data transferred. The Irish data protection authority rejected the complaint on the grounds that the US-EU Safe Harbour scheme ensured an adequate level of protection of the personal data transferred to the US, and that no further review was required. Thus, Schrems lodged a complaint with the High Court of Ireland, which subsequently referred the case to the EU Court of Justice (CJEU).

On 6 October 2015, the CJEU ruled that the US-EU Safe Harbour framework is invalid (with immediate effect). Transfers of personal data from the EU to the US, which were covered by Safe Harbour, will be unlawful, unless they are suitably authorised by data protection authorities, or fit within one of the legal exemptions.

Alternative methods of addressing data transfers will be needed in the future - for instance, by implementing EC-approved data transfer agreements / complying with the EU Model Clauses, which enable customers to move data between the EU and other countries, even in the absence of Safe Harbour - or by obtaining individual consent.

The CJEU's decision makes it important for the EC and the US to reach agreement on a path forward. The advisory body comprising representatives from each of the 28 EU data protection authorities, the Article 29 Working Party, is currently considering the judgment (see: http://ec.europa.eu/justice/data-protection/article-29/press-material/pr...).

You can read the complete judgement of the CJEU in Case C-362/14, Maximillian Schrems v. Data Protection Commissioner, here: http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pa...