14 octobre 2015
By decision dated 6 October 2015 (Case C-362/14), the Court of Justice of the European Union ruled that the Commission’s Safe Harbor enabling cross-border flows between Europe and United States (provided that recipient companies join the Safe Harbor principles) is invalid.
Further to the revelations made in 2013 concerning the access to the personal data by the United States intelligence services, a Facebook user lodged a complaint in order to object to the transfer of his personal data to the United States. The case was heard by the High Court of Ireland which asked to the Court of Justice of the European Union to give a preliminary ruling.
On October 6 this year, the Court of justice of the European Union declared that the Commission’s US Safe Harbor decision is invalid considering that the Commission did not justify that the United States “ensures” an adequate level of protection by reason of its domestic law or its international commitments.
The national supervisory authorities will have to look at the data transfer to the United States considering that the United States does not ensure an adequate level of protection of personal data.
The CNIL reacted swiftly and explained on its website that it is no longer possible to transfer data to the United States on the basis of the Safe Harbor. The CNIL also indicates through a press release that it will meet its counterparts in the G29 in order to precisely determine the legal and operational consequences of this decision regarding transfers that have made on the basis of the Safe Harbor.
Many economic operators are affected by this decision. In fact, the Safe Harbor agreement is indeed one the most commonly used for European companies in order to transfer data to the United States. Several solutions may be found out, in particular the introduction of standard contractual clauses or Building Corporates Rules.