Safe harbour not so safe anymore: the European Court of Justice Judgment C-362/14 (Maximillian Schrems versus Data Protection Commissioner)

Abstract

The European Union has adopted over the years a most protective legal framework regarding privacy and data protection with Directive 95/46/EC holding a primary role. Under the current EU legislation companies and organisation operating in the European Union cannot transfer personal data to third countries unless they can guarantee that the EU standards of protection will be followed. With the Safe Harbor Decision (2000/520/EC) of the European Commission, a set of principles processed between the US Department of Commerce and the European Union provided the framework for US companies to certify that they meet the EU requirements for personal data protection. Nevertheless, most recently, the European Court of Justice (C-362/14) responding to a preliminary question referred by the High Court of Ireland regarding Facebook's processing of personal data in the US, considered the Safe Harbor Decision as invalid due to the fact that it does not required all organisations and more specifically US federal government agencies to work with to comply with its requirements. Therefore, according to the European Court of Justice, the Safe Harbor Principles cannot provide with the sufficient guarantees.