• Arts
  • Language Services
  • Furniture
  • Educational Services
  • Private Equity
  • Event Management
  • Nonprofit / Foundation
  • Manufacturing
  • Information Technology
  • Human Resources
  • Hotels and Restaurants
  • Health Care & Pharmaceuticals
  • Media - Broadcast and Publishing
  • Engineering / Construction
  • Food Products, Beverages and Tobacco
  • Petroleum Industry
  • Wholesale and Retail Trade
  • Travel and Leisure
  • Transporting, Moving and Warehousing
  • Telecommunications
  • Security Services
  • Real Estate
  • Marketing and Public Relations
  • Energy
  • Finance
  • Consumer Goods
  • Law Companies
  • Consultancy
  • Architecture
  • Airlines

News

Home / News / Legal Alert - Data protection

Legal Alert - Data protection

4.11.2015
Company: Weinhold Legal, s.r.o. advokátní kancelář

European Court of Justice says NO to the Safe Harbor regime for the transfer of personal data to the USA

On 6 October 2015, the European Court of Justice ruled in the case of Maximillian Schrems vs. the Data Protection Commissioner; in its ruling, the Court found Commission Decision 2000/520/EC of 26 June 2000, stating that the United States Safe Harbor regime provides an adequate level of protection within the meaning of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Directive”), to be invalid.

The Directive stipulates that personal data may be transferred to a third country if, among other reasons, that third country assures an adequate level of data protection. The Directive further stipulates that the Commission may rule a third country has provided an adequate level of personal data protection pursuant to its domestic regulations or international commitments. Every Member State shall designate one or more of its public authorities to oversee adherence to regulations adopted by Member States under the Directive.

Grounds for the ECJ ruling

• The question here was whether the Commission’s decision provides an adequate guarantee of the protection of personal data transferred to third countries (i.e. countries that are neither EU Member States nor members of the European Economic Area), or whether the decision compromises the authority of individual Member States and impairs their ability to effectively control the movement of personal data.

• The ECJ gave as its first reason that no provision of the Directive prevents national supervisory authorities that oversee the movement of personal data to third countries from exercising this oversight, despite the existence of the Commission decision. Thus, even though the Commission issued this decision, national authorities must be able independently to assess whether the movement of data to a third country is in compliance with the Directive.

• The next reason for vacating the decision was that the Commission failed sufficiently to investigate whether the United States provides an adequate level of protection of information in compliance with the Directive, but only performed a review of the socalled Safe Harbor plan. The ECJ stressed that the US legislation does not afford individuals: a) adequate means of access to their own personal data, b) the option of deleting such data, or c) the basic right to effective judicial protection. The ECJ deems it a significant problem that US authorities have greater access to these data than is strictly necessary.

• The final reason that the ECJ found the Commission Decision on the Safe Harbor regime to be invalid is that the Commission does not have the right to restrict national supervisory authorities in the matter of when a third party shall rely on whether the decision complies with the protection of the privacy and fundamental rights and freedoms of individuals.

Impacts of the ruling

• Entities that transfer personal data to the USA and rely on the “Safe Harbor” status of the recipients of such data should pay careful attention to the ECJ decision with particular regard to the fact that the ECJ supported the power of national supervisory authorities to protect personal data (in the Czech Republic, the Office for Personal Data Protection) and to review and suspend the transfer of personal data, and found the Commission decision on the “Safe Harbor” regime to be invalid.

• The ECJ ruling greatly complicates the transmission (transfer) of personal data to the USA.

• The ECJ ruling may impact users of social networks and cloud services (including e-mail) whose providers have their data storage in the USA.

• In practice, the “standard” method of transferring personal data pursuant to national legislation shall have to be applied (in the Czech Republic, the Personal Data Protection Act) in cases of the transfer of personal data to the USA: where no restriction on the free movement of personal data ensues from an international treaty, or where personal data are transferred based on a decision of an EU authority (e.g. in a standard contractual clause), such transfer will call for Personal Data Protection Office consent.

The information in this Bulletin is correct to the best of our knowledge and belief at the time of its publication. Specific advice on matters should be sought, however, before any decisions are made. Nor should the information in this Bulletin be considered an exhaustive treatment of the given issue or its potential ramifications. We also note that differing legal opinions exist regarding some of the matters addressed in this Bulletin due to ambiguities in the respective legislative provisions. Thus, an interpretation other than the one provided here may prevail in the future.

For more information, please contact your usual partner/manager or the following Weinhold Legal attorneys:

Martin Lukáš Attorney martin.lukas@weinholdlegal.com

Jan Turek advokát jan.turek@weinholdlegal.com

Linkedin


AmCham Corporate Patrons

x
x

Delete

Are you sure? Do you really want to delete this item?