ECJ invalidates Data Transfer Pact between U.S. and Europe

Monday, October 26, 2015 | Published by


On Tuesday 6 October 2015, the European Court of Justice (ECJ) issued a landmark ruling against the transfer of personal data from Europe to the United States.[1] This ruling invalidates European Commission Decision 2000/520, which provided a legal basis for the transfer of personal data from the European Union (EU) to undertakings established in the United States that adhere to the so-called safe harbour principles.

Europe’s highest Court said that the Safe Harbor Agreement did not sufficiently protect EU citizens’ personal data since the requirements of American national security, public interest and law enforcement trumped the privacy safeguards contained in the framework.

The Court also noted that the legislation fails to provide indivuals with the right to be heard on the question of the surveillance and interception of their data. This interferes with the inherent rights of EU citizens and prevents them from obtaining an effective remedy.

Furthermore, the Court resolved that the European Commission failed to perform an appropriate review in order to determine whether the U.S. ensured a level of protection for human rights essentially equivalent to that in force in the European Union.

The ECJ ruling became effective immediately and the European Commission said it would continue to work with the U.S. on a revamped data transfer deal to fill the void.

Origin of the Ruling

The case reviewed by the European Court of Justice originated with Max Schrems, a 27-year-old Austrian graduate student. Mr. Schrems’ complaint was filed, among other reasons, as a result of the revelations made by former U.S. National Security Agency (NSA) contractor Edward Snowden beginning in May 2013 concerning the activities of U.S. intelligence services, in particular those of the NSA. Snowden alleged that the NSA established a programme called ‘PRISM’ under which U.S. authorities obtained unrestricted access to mass data stored on servers in the United States owned or controlled by a range of companies active in the internet and technology field, such as Facebook, Apple and Google.

Instead of lodging a complaint against Facebook Ireland Ltd. Mr. Schrems filed a complaint with the Data Protection Commissioner on 25 June 2013, claiming, in essence, that the law and practices of the United States offer no real protection of the data kept in the U.S. against State surveillance.

The Data Protection Commissioner dismissed the complaint, partly because the European Commission had already stated in its Decision 2000/520, that under the safe harbour scheme the United States ensured an adequate level of protection of the personal data transferred.

Mr. Schrems appealed to the High Court concerning the Commissioner’s decision to reject his complaint. Likewise, the High Court decided to suspend proceedings and submitted a request to the ECJ to determine whether the Commission’s Decision to impede national supervisory authorities to investigate a complaint containing allegations that question the level of protection ensured by a third country and whether, if necessary, these authorities may suspend the denounced transfer of personal data.

Findings of the ECJ

The European Court of Justice concluded that on the one hand, the national supervisory authorities are able to carry out investigations in countries where they receive a complaint alleging matters that could call into question the level of protection ensured by a third country, including where the Commission has found that the third country concerned ensures an adequate level of protection.

On the other hand, if a national supervisory authority completes its investigations and confirms that the contested transfer of data undermines the protection, which citizens of the EU must enjoy with regard to the processing of their data, it has the power to suspend the transfer of data in question, irrespective of the general assessment made by the Commission in its decision.


This ruling has a significant impact on employers as it no longer allows for companies subscribing to the Safe Harbor Agreement to store and process data generated by their European clients in web searches, social media posts and other online activities. In other words, the Court has declared that a safe framework for the transfer of personal data across the Atlantic simply does not exist.

Furthermore, all pertinent companies are now forced to stop applying the mentioned framework when it conflicts with the requirements of American national security, public interest and law enforcement. Likewise they are also forced to look for an alternative mechanism for their data transfers to the United States.

Thus, employers may need to implement new procedures to protect the personal data adequately. It is recommendable that concerned employers review their current transfer of personal data and the related routines.

[1] ECJ 16 October 2015, C-362/14, Schrems v Data Protection Commissioner (joined party: Digital Rights Ireland Ltd).

Image Credit: Wikimedia CommonsUnless otherwise indicated, this information has been authored by an employee or employees of the University of California, operator of the Los Alamos National Laboratory under Contract No. W-7405-ENG-36 with the U.S. Department of Energy. The U.S. Government has rights to use, reproduce, and distribute this information. The public may copy and use this information without charge, provided that this Notice and any statement of authorship are reproduced on all copies. Neither the Government nor the University makes any warranty, express or implied, or assumes any liability or responsibility for the use of this information.