On 6 October 2015, the CJEU (case no. C-362/14) has declared the Commission's 2000 decision on Safe Harbor concerning the transfer of personal data from the EU to the USA to be invalid, with immediate effect. The CJEU has also held that the existence of any Commission decision that a third country ensures an adequate level of protection (which applies, for example, to Argentina, Canada, Israel, New Zealand, Switzerland and Uruguay) cannot reduce the powers of national data protection authorities, opening up the possibility of future challenges to those adequacy findings as well.
This CJEU judgment has wide ramifications for German companies that transfer their customer or employee data to the U.S. relying on the Safe Harbor principles. Such transfer is now prohibited. German companies must quickly find and implement alternative ways to legitimise the transfer such as standard contractual clauses adopted by the Commission (Model Clauses) or Binding Corporate Rules (BCR, for intra-group transfers).
Under the German Data Protection Act ("Bundesdatenschutzgesetz - BDSG"), transfers of personal data outside the EEA may, in principle, take place only if the receiving country ensures an adequate level of protection of the data similar to the level within the EU. In this regard, the Commission may find that a particular country ensures adequate protection. The Commission made a finding of adequacy with respect to transfers to U.S. companies who have signed up to the Safe Harbor scheme. This scheme was now challenged by Austrian Max Schrems who lodged a complaint about the transfer of his personal data from Facebook in Ireland to Facebook's U.S. servers. However, the challenge of Safe Harbor before the CJEU was only a matter of time and does not come as a complete surprise. The German Conference of Data Supervisory Authorities, for example, adopted a decision in March 2015 where it declared that the Safe Harbor scheme does not provide for an adequate level of protection of the data regarding a data transfer to the U.S.
The CJEU has declared that the Commission decision that Safe Harbor provides adequate protection is not compliant with EU law and therefore is invalid. On the one hand the personal data of EU citizens is not sufficiently protected against access of U.S. authorities, on the other hand U.S. legislation does not provide for any possibilities for EU citizens to pursue legal remedies in order to have access to the personal data concerned...