Global menu

Our global pages


The CJEU rules Safe Harbor to be invalid

  • Austria


    On the morning of 6th October 2015 the Court of Justice of the European Union („CJEU“) published its ruling on a case that has caused a stir all over the world. Coming from a proceeding that has been initiated by the Austrian Maximilian Schrems the CJEU declared the “Safe Harbor Decision” issued by the European Commission in 2000 to be invalid. This ruling has tremendous implications on the transfer of personal data between the EU and the USA especially concerning the transfer of data between affiliated companies.

    In order to illustrate these implications it is necessary to summarize the former legal situation and the content of the CJEU ruling:


    When is the transfer of personal data into third countries permitted?

    The transfer of personal data outside the EEA (including to the USA) is only permissible without an examination or a permit respectively by the Data Protection Authority, if one of the following exceptions apply:

    • To fulfil contracts that have been concluded in the data subject’s obvious interest, e. g. sales contracts with the other party having their corporate seat in the USA;
    • With the data subjects voluntary prior agreement (especially regarding employee data “voluntariness” is often seen as problematic...);
    • Transfer of data that has already been legitimately published;
    • If the transfer is necessary to enforce, execute or defend a claim towards foreign authorities, provided the data has been collected legitimately;
    • If the transfer to controllers or to processors has been explicitly permitted in a standard ordinance or a model ordinance;
    • The data is transferred to recipients in third countries with an adequate general level of data protection. These specific countries that have an adequate general level of data protection are stipulated by special ordinance issued by the federal chancellor (such ordinances, however, only cover a small selection of countries like Switzerland).

    If none of these exceptions apply, a permit by the Data Protection Authority is required to be obtained prior to such a data transfer. For each single case the authority has to examine, whether the data is adequately protected against misuse, which quite often takes considerable time.


    What was the “Safe Harbor Decision”?

    To facilitate data transfer between the EU and the USA the Safe Harbor program has been developed enabling US based companies to voluntarily submit to specific data protection provisions. These were designed to guarantee an adequate level of data protection similar to the level of protection within the EU. Compliance with these provisions was enforceable at a court level. US based companies that voluntarily submitted to these provisions were registered with a list publicly available on the internet.

    In 2000 the EU Commission issued the general decision that an adequate level of protection existed, if the data recipient located in the USA voluntarily submitted to the Safe Harbor provisions. Thus, data transfer to such a recipient was treated as if it were conducted within the EEA (or to another country declared to have a similar level of protection). Therefore, such data transfer was legal without a prior permission by the relevant data protection agency.

    Most large US based companies, especially the most important “data importers” (EJ Google, Microsoft, Facebook and Apple – to name only a few) submitted to these provisions and therefore enabled data transfer without requiring permission.

    The CJEU decision summarized

    As already mentioned before, the ruling states that the Safe Harbor Decision is invalid with immediate effect. However, the probably even more important aspect is that the CJEU establishes that the Commission’s original determination of the Safe Harbor program offering an “adequate” level of protection has already been incorrect then. For its conclusions on the Safe Harbor Decision’s validity the CJEU examined the definition of the term “adequacy” and decided (concurring with the Advocate General’s opinion) that:

    “...the term “adequate level of protection” must be understood as requiring the third country [in this case the US] in fact to ensure, by reason of its domestic law or its international commitments a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 [the “data protection directive”] read in the lights of the Charter [of Fundamental Rights]”.

    The CJEU highlights the fact (as revealed by the PRISM scandal) that US authorities are lawfully permitted conduct large scale monitoring and collection. of EU citizen’s personal data that has been transferred to the USA. On the basis that such collection of data/monitoring in the US is pursuant to public interest and law enforcement interests, which prevail over the requirements of the Safe Harbor scheme, the CJEU notes that US entities are, accordingly, “bound to disregard those principles [of the Safe Harbor scheme] without limitation where they conflict with those requirements and therefore prove incompatible with them.”

    Further, the CJEU observes that such US legislation does not provide for any possibility for an individual data subject in the EU to pursue legal remedies against the US authorities for processing of their personal data, including a right of access to such data and/or the ability to obtain rectification or deletion of such data.

    Independence of Data Protection Authorities

    Following the opinion of the Advocate General, the CJEU has ruled that data protection authorities (DPA) in each member state “must be able to examine, with complete independence, whether the transfer of that data [to a third country] complies with the requirements lay down by the directive.”

    Therefore, DPAs should and do have authority to investigate complaints raised regarding any decision of the Commission in relation to the adequacy of a third country (i. e. not just the Safe Harbor Decision in relation to the adequacy of Safe Harbor but all decisions relating to the adequacy of data protection laws in countries outside the EU).

    Further, dependent on the outcome of such investigations, DPAs may refer their findings to the CJEU, which will ultimately rule on whether the adequacy decision of the Commission still stands.

    What are the consequences now Safe Harbor is invalid?

    The impact of this ruling is far reaching. Not only for the thousands of companies that have themselves certified under the Safe Harbor scheme but for the many thousands more that trade with those businesses and disclose personal data to them believing they can do so lawfully. The Safe Harbor scheme underpins a lot of international trade and services, in particular the use of cloud and other technology based services, so its impact will be felt across most sectors.

    Following the Ruling, on the afternoon of 6 th October 2015 the Commission held a press conference at which it appeared to confirm that Safe Harbor is immediately invalid and went on to say that it “...will come forward with clear guidance to [DPAs] on how to deal with data transfers to the US in light of [the Ruling]”. However, such clear guidance has not yet entered existence...

    On 16th October 2015 the so-called “Article 29 Working Party” – an informal working party of all EU data protection authorities – issued a statement underlining that such data transfers to the USA that have been solely based on Safe Harbor so far are illegal with immediate effect. In the same statement it is also announced that the individual data protection authorities are committed to take all necessary and appropriate enforcement actions (i. e. considerable monetary penalties), if by the end of January 2016 no appropriate solution is found by the legislator. In the case of complaints by individual data subjects such enforcement actions, however, are also possible earlier.


    What you should do now:

    In practical terms, those relying on Safe Harbor should take immediate steps to implement their “Plan B”.

    What could such “Plan B” consist of?

    • You could “retract” all data transfer so far and henceforth only process data within the EEA (e. g. with cloud service providers, who guarantee that the data are only stored and will remain stored on service within the EEA);
    • You could engage to obtain clear and voluntary consent by all data subjects for transfer (ATTENTION: such a statement of consent has to explicitly determine the recipient and the purpose of the data transfer!);
    • You could anonymize transferred data (especially regarding transfer of employee data to parent companies, the data of “John Doe“ is irrelevant compared to the overall staff organization data);
    • You could conclude a data protection agreement with the data recipient based on the “standard contractual clauses” also developed by the EU-Commission in order to obtain permission by the data protection authority (this was explicitly stated by the “Article 29 Working Party” to be an appropriate possibility, however, because of the current situation, this will take considerable time – moreover, it is to be expected that the CJEU will also rule these standard contractual clauses to be inadequate in subsequent decisions).

    Eventually, it is rather improbable that just one of the aforementioned measures will lead to the desired result. It is probably necessary to implement a “combination” of several such measures.

    Moreover, a comprehensive solution will only come into existence, if the (European) legislator completely overhauls this entire sector – for example within the current negotiations with the USA regarding the free trading agreement. However, as long as this has not happened, ignoring the problem is no use. The order of the day is to act quickly!

    If you have any questions regarding this topic (for example because your company transfers employee data to the parent company in the USA, uses cloud or email-services by google or similar providers or has an American provider operate a whistleblowing hotline) please do not hesitate to contact us – the clock is ticking and impending fines are considerable...



    Dr. Georg Röhsner
    T: +43 1 516020 160




    This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full terms and conditions on our website.

    < Go back

    Print Friendly and PDF
    Register to receive regular updates via email.