The Court of Justice of the European Union (“CJEU”) issued yesterday its long-expected Judgment in Schrems vs Data Protection Commissioner, in which the court, largely adopting the opinion of its Advocate General, resolved that the Decision 2000/520 of the European Commission which provides that the Safe-Harbour scheme provides an adequate level of protection and can be used as ground for the transfer of personal data from the EU to US companies participating in the Safe Harbour scheme, is invalid.
Additionally, the CJEU concluded that a Commission decision finding that a third country provides an adequate level of protection of the personal data transferred does not prevent the national supervisory data protection authorities from examining whether the transfer of personal data to a third country complies with the requirements laid down by the Data Protection Directive.
The judgment was issued following a request for preliminary ruling of the Irish High Court as a result of a previous complaint of Max Schrems, an Austrian citizen, filed with the Irish Data Protection Commissioner against Facebook Ireland. Mr. Schrems complained that the mass transfer of Facebook users’ personal data on servers located in the US is not compliant with EU law, since the Safe Harbour scheme, the basis on which such data transfers were made, does not provide an adequate level of protection, as it is not applicable to US public authorities in the context of their surveillance activities.
The decision is of major importance because it touches on millions of data transfers effected on a daily basis from the EU to US entities and it paves the way for national data protection authorities to judge on an ad hoc basis whether a data transfer effected from the EU to a US entity certified under the Safe Harbour scheme actually provides adequate data protection guarantees. In this respect, there is a possibility that different approaches on this topic will emerge among the various EU data protection authorities creating more favourable places for overseas corporations to base their operations and related forum shopping.
The practice of the Greek Data Protection Authority (“DPA”) up to date was to require only the filing of a notification for data transfers effected from Greek data controllers to Safe-Harbour US-based companies. Following this judgment, there may be a change, not excluding the requirement of prior authorization by the DPA for each data transfer.
Given this uncertainty on the DPA’s reaction to the CJEU judgment, Greek entities which intend to transfer personal data to the US are strongly advised to enter into the EU model clauses that have been recognized by the European Commission.