Data protection: the EU Court declared no longer valid Safe Habour


The Court of Justice of & rsquo; European Union and judgment on 6 October in Case C-362/14 (M. Schrems vs Data Protection Commissioner), determined that the agreements for the management and transfer of personal data between American and European companies may be suspended by the Member States when there is no the guarantees of an adequate level of data protection < / u>.

So ruling, the Court has in fact declared the & rsquo; invalidity of the European Commission’s decision on the cd program & ldquo; Safe Harbour & rdquo; (Safe Harbor) or the & rsquo; agreement between the European Union and the United States allowing US companies, such as Facebook or Google (but not only, since they are in fact 4,500 American companies that have used the Safe Harbor), to be able to store the personal data of European users on both servers in & rsquo; EU that of those located in the US.

The Safe Harbour had been authorized by the EU Commission with the Decision 520/2000 / EC (the so-called & ldquo; Decision of Safe Harbour & rdquo;), recognizing that the cd Principles of Safe Harbor Privacy Policy, approved by the Department of Commerce of the United States d & rsquo; America, would ensure adequate protection of personal data transferred from & rsquo; EU overseas, thus in compliance with the EU privacy directive (Directive 95/96 / EC) . In practice, the American companies to join the program should have complied the seven principles : 1) Users should be warned about the collection and the & rsquo; use of their personal data; 2) Everyone should be free to refuse the collection of data and their transfer to third parties; 3) The data can be transferred only to organizations that follow adequate data protection principles; 4) Companies need to provide safeguards against the risk that the data is lost; 5) must be collected only data relevant to the detection; 6) You have the right to access the data and if necessary to correct them or delete them if they are inaccurate; 7) These rules must be effectively implemented. Once that & rsquo; firm has joined the program, it must renew the certification every 12 months.

In a nutshell, with this ruling states that, from the date of issue, with definitive effect, the safe harbor must instead submit to the jurisdiction of each state of & rsquo; Union, which may suspend, if deemed appropriate, to the transfer of personal data to the American servers.

The decision of the European Court has been issued as a result of & rsquo; proposed action by a user Austrian Facebook, Mr M. Schrems, who, in June 2013, lodged a complaint with the & rsquo; authority of the privacy Irish, where the social has its registered office, stating that, starting from the Snowden case, the laws of the United States did not provide sufficient protection to the data transferred from & rsquo; Europe. L & rsquo; Authority of Ireland rejected the complaint and the Supreme Court of Ireland, to which Mr Schrems turned, at the time of reference, remitted to the European Court of Justice that with the recent ruling upheld instances of & rsquo; activist.
The European Court has ruled that & ldquo; the existence of a Commission decision, according to which a third country ensures an adequate level of protection of personal data, can neither exclude nor reduce the powers of the national competition authorities. Therefore, even if the Commission has adopted its own decision, the National authorities , when receiving a complaint from a citizen, must be able full independence in assessing whether the transfer of data to a third country meets the requirements of the Directive & rdquo ;.

The most important aspect of the decision, however, concerns the fact that the Court has also ruled invalid the Safe Harbour Decision, citing as the main reason, the fact that Safe Harbor program does not prevent the public authorities of the Member States to interfere with the fundamental rights of the people .
The European Court ruling has important consequences for European companies transferring personal data to the US. In fact, the national competition authorities will no longer be bound by the Safe Harbour Decision and will take appropriate action in the event of any finding that the transfer overseas do not respect the privacy policy. As a result, companies will be required to verify the contracts with their US counterparts and, where contracts relying on the Safe Harbor as a legal basis for data transfer, will have to resort to legal means available alternative to transfer personal data to the United States, as the standard clauses approved by the European Commission.

In a press release made public in recent days, the Working Group Article 29 Data Protection Working Party (independent advisory body set up pursuant to the & rsquo; Article 29 of Directive 95/46 / EC on the protection of personal data) stressed the & rsquo; & rsquo of urgency, start a negotiation that individuals shared a position of governments on international transfers.

The Working Party concludes hoping that companies are aware of the & ldquo; risks they take in data transfer & rdquo; and take timely legal solutions and techniques designed to mitigate these risks in compliance with the Community rules on the data protection .

Therefore, by the end of January 2016, you will have to reach a conclusion that meets the European authorities: if Europe and the United States fail to reach an agreement, the European guarantors undertake to initiate all necessary and appropriate measures, that provide the possibility of a coordinated action.

Posted in News.