Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

Safe Harbor Decision today!

By Nick Graham
October 6, 2015
  • Europe
  • Privacy Rights
  • United Kingdom
Share on Facebook Share on Twitter Share via email Share on LinkedIn

Today, the Court of Justice of the European Union (CJEU) handed down its ruling in relation to the Schrems case. As you will have heard, the Court decided that local DPAs should be entitled to investigate matters (regardless of there being a Commission Decision applicable) and, more importantly, that the Commission Decision on Safe Harbor is, in fact, invalid.

DPA rights to investigate

We had all assumed that if a data transfer was subject to Safe Harbor then that was it. You would not have expected a local DPA to investigate Safe Harbor as that was an official decision and it should be up to the Commission to investigate or upgrade it as required.  Then came Snowden. That put Safe Harbor under the microscopic of course.

As a result of Snowden revelations, the Commission has been negotiating with the US for an upgrade to the privacy principles and FAQs. The Court, however, decided that if you read the Data Protection Directive (the famous Article 25 in particular) together with the EU Charter of Fundamental Rights, this must mean that DPAs can investigate Safe Harbor data exports.

In one sense, this turns DPAs into quasi-judicial bodies. More generally, it reflects the two key changes influencing the Court’s thinking here: (i) the Snowden revelations; and (ii) the higher standards imposed by the Charter. Neither of these factors were, presumably, in the Commission’s “corporate mind” when the Safe Harbor Decision was published, way back in 2000. The Charter, in particular, is featuring more frequently in EU data protection case law.

Safe Harbor decision

The Court raised a number of criticisms of the Commission’s original Decision. The Court highlighted that:

  • no consideration had been given to domestic US law as to whether it provided adequate protection for data;
  • the carve out for access to data for national security, crime prevention and other purposes was too broad; and
  • there was no appropriate remedy for EU citizens.

In other words, there were architectural defects in the Safe Harbor regime.  These concerns were brought to light by the surveillance revelations of Edward Snowden.

Should we panic?

No!  However, it is time to think carefully about putting alternatives to Safe Harbor in place (e.g. model contracts or BCRs).  The ICO accepts that this will take time.

Interestingly, the Commission was at pains to point out in their press conference this afternoon that they value international trade and that data flows with the US should continue.  So this is not about “pulling up the digital drawbridge”.  In particular, they have indicated that there will be guidance published to ensure business has certainty and clarity going forward.  They were also keen to point out that the “Safe Harbor 2.0” currently being negotiated is well advanced but that they need a little more time to sort out the national security issue.  Let’s wait and see.  The sooner the better

We are publishing a fuller analysis of the decision tomorrow.  Please contact me if you would like a copy.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Nick Graham

About Nick Graham

Nick Graham is the Global Co-Chair of Dentons' Privacy and Cybersecurity Group. He specialises in data privacy, cybersecurity, information governance. Nick advises across all sectors including retail, telecoms, energy, manufacturing, banking, insurance, transport, technology and digital media.

All posts Full bio

RELATED POSTS

  • Cloud Computing
  • Privacy Rights

New European A29 Guidance on “Privacy in the Cloud”

Privacy debates in connection with cloud computing often generate more heat than light!  Some regulators (not in the UK!) have […]

By Nick Graham
  • Europe
  • Privacy Rights

Processing of riders’ personal data ̶ The Italian Data Protection Authority sanctions a food delivery company

By Privacy and Cybersecurity Group
  • New and Proposed Laws
  • Privacy Rights

“Explicit consent” under the new Data Protection Regulation

The new EU Data Protection Regulation redefines consent of individuals.  No longer, will it be sufficient for consents to be […]

By Nick Graham

About Dentons

Across over 80 countries, Dentons helps you grow, protect, operate and finance your organization by providing uniquely global and deeply local legal solutions. Polycentric, purpose-driven and committed to inclusion, diversity, equity and sustainability, we focus on what matters most to you. www.dentons.com

Grow, Protect, Operate, Finance. Dentons, the law firm of the future is here. Copyright 2023 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. Please see dentons.com for Legal notices.

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo in black and white

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site