Two days ago (6th October) the CJEU released a very important decision as regards the protection of our data.
Everyday we are using services and applications, the providers of which are based in US. According to the Data Protection Directive “the transfer of personal data to a third country may, in principle,take place only if that third country ensures an adequate level of protection of the data”. In addition, “the Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments”. The Safe Harbor is an agreement between EU and US as regards the transfer of the European citizens’ data to the US . In fact, it rules that the US companies should comply with the protections set by the European Directive.
However, Maximillian Schrems, a PhD student from Austria but also a Facebook user challenged this agreement, right after the revelations of Edward Snowden in 2013. More specifically, he lodged a complaint with the Irish supervisory authority (the Irish Data Protection Commissioner) on the grounds that “the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country”. The Irish authority rejected the complaint and held that due to the existence of the Safe Harbor, the adequate protection was presumed. However, the High Court of Ireland did not share the same opinion and addressed the issue to the CJEU, asking them whether Safe Harbor “has the effect of preventing a national supervisory authority from investigating a complaint alleging that the third country does not ensure an adequate level of protection and, where appropriate, from suspending the contested transfer of data”.
After some delay, the CJEU decision came out on the 6th October marking Max’s effort with success. Briefly, the decision “declares the Safe Harbour Decision invalid” and states that “even if the Commission has adopted a decision, the national supervisory authorities, when dealing with a claim,must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements laid down by the directive”. Any other case would “compromise the essence of the fundamental right to effective judicial protection”. To conclude, Max Schrems’ claims on the inadequate protection of our data should be investigated by the national authorities and a decision is expected on the 20th October by the High Court of Ireland. Stay tuned for the upcoming developments.