06.10.2015

CJEU: Commission’s US Safe Harbour Decision is invalid (updated)

CJEU 23.09.2015, C-362/14 (PDF; DE) - Maximillian Schrems v Data Protection Commissioner
[...] On those grounds, the Court (Grand Chamber) hereby rules:
  1. Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
  2. Decision 2000/520 is invalid.
From the CJEU's press release (pdf): This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

Ein Überblick über die Reaktionen (DE) hier bei Netzpolitik.
- Johannes Caspar, der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, Pressemeldung: [...] Bei der Umsetzung dieser Entscheidung werden die nationalen und europäischen Datenschutzbehörden künftig eine Schlüsselrolle einnehmen. Es ist zu prüfen, ob und inwieweit Datentransfers in die USA auszusetzen sind. Dies gilt auch, wenn sie auf andere Rechtsgrundlagen wie Standardvertragsklauseln, Einwilligung oder Binding Corporate Rules gestützt werden. Die Aufsichtsbehörden werden dafür noch in dieser Woche ihr Vorgehen auf nationaler und europäischer Ebene koordinieren. Die EU-Kommission ihrerseits muss die USA drängen, ein angemessenes Datenschutzniveau herzustellen. [...]

- Österr. Datenschutzbehörde: Zur Ungültigerklärung der Safe Harbor-Entscheidung der Europäischen Kommission durch den EuGH: [...] Die Europäische Kommission hat in ihrer offiziellen Stellungnahme zur Safe-Harbor-Entscheidung vom 6. Oktober 2015 unter anderem festgehalten, dass ein Transfer personenbezogener Daten in die USA auch in Zukunft auf Mechanismen wie Standardvertragsklauseln (2001/497/EG, 2004/915/EG oder 2010/87/EG) und Binding Corporate Rules (Verbindliche unternehmensinterne Vorschriften) gestützt werden kann. Die Datenschutzbehörde behält sich (diesbezüglich) im Rahmen des Genehmigungsverfahrens aber die Beurteilung des im Empfängerstaat geltenden angemessenen Datenschutzniveaus gemäß § 13 Abs. 2 DSG 2000 im Einzelfall vor. [...]

- Article 29 Working Party, The Court of Justice of the European Union invalidates the EU Commission Safe Harbor Decision, press release (pdf)

- From the Speaking points of First Vice-President Timmermans and Commissioner Jourová First Vice-President Timmermans and Commissioner Jourová 's press conference on Safe Harbour following the Court ruling in case C-362/14 (Schrems)
[...] Now, you'll ask me how data flows can continue without the Safe Harbour in the meantime.
The EU data protection rules provide for several other mechanisms that provide safeguards for international transfers of personal data, for instance through standard data protection clauses in contracts between companies exchanging data across the Atlantic or binding corporate rules for transfers within a corporate group.
Also the Data protection rules include derogations under which data can be transferred on the basis of:
  • performance of a contract [e.g. If you book a hotel in the U.S., my personal data are transferred there in order to fulfil the contract];
  • Important public interest grounds [e.g. cooperation between authorities in the fight against fraud, cartels, etc.];
  • The vital interest of the data subject [e.g. it means in urgent life or death situations, personal data such as medical records can be transferred internationally in the person's own interest]; or
  • Or if there is no other ground, the free and informed consent of the individual. [...]
- Positionspapier des ULD zum Urteil des Gerichtshofs der Europäischen Union vom 6. Oktober 2015, C-362/14 (pdf)