Does European Court Ruling Signal the Demise of Safe Harbor?
The European Court of Justice recently made a judgement on a case involving Facebook and a complaint lodged by a privacy rights campaigner, which challenges the future validity of Safe Harbor.
In this context Safe Harbor is a legal agreement between the US and EU that provides assurance that US companies that participate in the scheme will comply with and provide an adequate level of protection for data transferred from the EU.
Safe Harbor has been relied upon by many organisations to demonstrate compliance with the provisions of the Data Protection Act Principle 8 which requires that:
Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Prior to this judgement, US companies that joined the Safe Harbor scheme were recognised by the European Commission as providing adequate protection.
The complainant legally challenged that, as a result of the Snowden revelations and activities of the US Intelligence Services, the US no longer offered a sufficient level of protection. His claim was originally rejected by the Irish legal authorities on the basis that under the Safe Harbor scheme the US did ensure an adequate level of protection. The case was referred to the European Courts who over-ruled the original decision by the Irish authorities, ruling that the Irish Supervisory Authority is required to examine the original complaint with due diligence and not simply defer to a successful Safe Harbor registration.
Most notably the European Court made the following statement:
‘….national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. European and UK data protection authorities will need to provide clear direction to businesses across Europe, the UK Deputy Information Commissioner David Smith has already stated that the ruling is significant and ‘means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US in line with the Law’.
The Irish authority has therefore been instructed to decide for itself whether the US does or does not afford an adequate level of protection for data transferred from the EU.
The judgement adds to an already complex issue for UK businesses when seeking to transfer personal data to US companies or when using the European located hosting services of US companies. Both business consumers and service providers must now wait for more detailed direction to come from the EU and UK information protection authorities before assessing the true impact of the judgement.
 Court of Justice of the European Union Press Release No 117/15:
 ICO response to EU ruling on personal data to US Safe Harbor: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/10/ico-response-to-ecj-ruling-on-personal-data-to-us-safe-harbor/