Stefano Cancarini, and Flavia Messina, Safe Harbour repealed: first impressions on the transfer of data protection to the United States

The Court of Justice of the European Union on October 6, 2015 released an important decision ruling the transfer of personal data from the European Union to the United States, consistent with the opinion by Advocate General, Yves Bot, of September 23, 2015. The ruling repealed the Decision 2000/520 of the European Commission that had approved the Safe Harbour. The first and immediate consequence of the decision is that the transfer of personal data from the European Union to the United States can no longer be allowed on that scheme. At the same time, the Court affirmed that local Data Protection Authorities must not be prevented from examining a claim concerning the personal data transferred to thirds countries, whether the data subject considers that those countries do not retain an adequate level of data protection. The matter begins in 2013 when an Austrian law student, Max Schrems, made a complaint to the Irish Commissioner in order to prohibit Facebook Ireland from transferring his personal data to Facebook US. He contended that the law in force in that country did not ensure adequate protection of the personal data, especially after the “Snowden” revelations.

The local Data Protection Authority rejected the complaint on the view that it couldn’t investigate the level of protection granted in the United States since the Decision 2000/520 of the European Commission approved the Safe Harbour. The plaintiff then brought an action before the High Court of Ireland, which, in turn, has involved the Court of Justice of the European Union. The decision, as mentioned above, determined the inability for EU companies to use the Safe Harbour scheme to transfer personal data to the United States. It is likely that, following the ruling, local Data Protection Authorities will release common guidelines (as anticipated by the Italian Authority) and will grant a grace period to allow companies to make the necessary adjustments to the new regime or to implement the available alternatives.

 

[ORIGINALLY PUBLISHED IN PWC DATA PROTECTION AND PRIVACY GLOBAL INSIGHT at http://www.pwc-tls.it…. – REPRODUCED WITH PERMISSION BY PWC Legal, Italy, TLS Associazione Professionale di Avvocati e Commercialisti, Stefano.cancarini@it.pwc.com | +39 0291605212]