Today, the Court of Justice of the European Union (the “CJEU”) invalidated the European Commission’s Decision on the EU-U.S. Safe Harbor arrangement (Commission Decision 2000/520 – see here). The Court responded to pre-judicial questions put forward by the Irish High Court in the so-called Schrems case. More specifically, the High Court had enquired, in particular, about the powers of European data protection authorities (“DPAs”) to suspend transfers of personal data that take place under the existing Safe Harbor arrangement. The CJEU ruled both on the DPAs’ powers and the validity of the Safe Harbor, finding that national data protection authorities do have the power to investigate in these circumstances, and further, that the Commission decision finding Safe Harbor adequate is invalid.

This judgment affects all companies that rely on Safe Harbor. They now need to consider alternative data transfer mechanisms.

The Powers of the DPAs

First, the CJEU emphasized that the DPAs cannot invalidate a Commission adequacy decision themselves; only the CJEU has this power. However, the DPAs must have the power to examine complaints brought by data subjects against transfers on the basis of Safe Harbor or other adequacy decisions of the European Commission based on Article 25 (6) of the EU Data Protection Directive and be able to engage in legal proceedings to make a reference for a preliminary ruling by the CJEU with the aim of examining the decision’s validity. In addition, the European Commission struck out the provision in the Safe Harbor decision which allows the DPAs to suspend data flows, subject to restrictive conditions establishing a high threshold for intervention. According to the CJEU, this provision denies the DPAs the powers which they have under the EU Data Protection Directive and the Commission has no competence under Article 25(6) to restrict the DPAs’ powers under Article 28 of the Directive.

Safe Harbor

Second, the CJEU declared the Safe Harbor decision invalid, without providing for a transitional period, based on the following reasoning:

  • Article 25 (6) of the EU Data Protection Directive empowers the Commission to find that a third country ensures an adequate level of protection. The CJEU held that, once the Commission has made such a finding, it must check periodically whether the finding is still factually and legally justified, especially when evidence gives rise to doubt.
  • The CJEU further held that, although Article 25 (6) cannot be interpreted as requiring a level of protection identical to that guaranteed in the EU legal order, the level of protection must be essentially equivalent, by reason of the third country’s domestic laws or its international commitments. In other words, the legal order of the third country must prove to be effective, in practice, to meet this level of protection.
  • In the present case, the Court decided that the standard of “essentially equivalent” is not met by the United States, in particular, because:
    • The United States public authorities are not required to comply with the Safe Harbor Principles.
    • Where U.S. law imposes an obligation conflicting with the Safe Harbor Principles, certified U.S. organizations must comply with the law.
    • The applicability of the Safe Harbor Principles may be limited on the basis of a broad “national security, public interest or law enforcement requirements” exemption contained in the Safe Harbor decision.The general nature of this derogation interferes with the fundamental rights of the individuals concerned, and the Safe Harbor decision does not contain any reference to rules adopted by the U.S. which would limit such interference. In fact, the Commission itself had found that the U.S. authorities were able to access and use transferred personal data for purposes that go beyond what is strictly necessary and proportionate to the protection of national security. In the CJEU’s view:“Legislation is not limited to what is strictly necessary where it authorises, on a generalised basis, storage of all the personal data of all the persons whose data has been transferred from the EU to the U.S. without any differentiation, limitation or exception being made in the light of the objective pursued and without an objective criterion being laid down by which to determine the limits of the access of the public authorities to the data, and of its subsequent use, for purposes for which are specific, strictly restricted and capable of justifying the interference which both access to that data and its use entail.”

      The CJEU further found that the Safe Harbor decision also does not refer to the existence of effective remedies against interference of this kind. “Legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data does not respect the essence of the fundament right to effective judicial protection.

What Does It Mean in Practice?

The judgment applies to everyone (erga omnes), not only to the parties in the case. It is definitive without possibility of appeal and has immediate effect.

The judgment will have an important impact on organizations and the broader political discussions regarding EU-U.S. data flows.

  • Organizations relying on Safe Harbor to transfer personal data to the U.S. will have to consider alternative transfer mechanisms in order to transfer personal data lawfully to the U.S. Immediate short-term alternatives are likely to include standard contractual clauses and, in more limited instances, consent and possibly other statutory derogations (Article 26 (1) of the EU Data Protection Directive). Binding Corporate Rules are another alternative, but would require more time to put in place.
  • Negotiations on the revised EU-U.S. Safe Harbor framework are still under way (see our earlier posts here and here). It will be interesting to observe the impact that the CJEU’s findings have on these negotiations. The European Commission is determined to continue these negotiations, as Commissioner for Justice, Consumers and Gender Equality Věra Jourová confirmed in a press conference today (the full statement is available here).

Interestingly, the CJEU does not consider a system of self-certification in itself to be contrary to Article 25 (6) of the EU Data Protection Directive; however, it seems that such a system may be open to challenge unless the domestic law or international commitments of the third country ensure a level of protection which is essentially equivalent to that guaranteed in the EU legal order.

A working group of the Article 29 Data Protection Working Party—an EU advisory body, comprised of representatives of the DPAs of all EU Member States, the European Data Protection Supervisor and the European Commission—is meeting later this week to discuss the implications of this ruling. Moreover, the European Commission will release guidance shortly.

It is hoped that the DPAs will come up with pragmatic solutions as thousands of companies will be struggling to put in place alternative data transfer mechanisms which, in many cases, cannot be done overnight.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.