ECJ finds Commission Safe Harbour Decision invalid

In what is seen by many as a victory for user privacy, the Court of Justice of the European Union (CJEU) overturned the Safe Harbour agreement between the USA and the EU. The anticipated judgment in the Max Schrems case declared the Commission’s Safe Harbour Decision (2000) invalid: (a) even when a Commission decision exists, national supervisory authorities still have the power to examine with complete independence whether a transfer of personal data to a third country complies with the Data Protection Directive; (b) the Commission’s decision did not examine whether the US afforded an adequate level of protection equivalent to that guaranteed in the EU, but simply examined the safe harbour scheme. In the US, the scheme is applicable only to undertakings that adhere to it, whereas public authorities are not subject to it, and national security, public interest and law enforcement requirements prevail over scheme, whereas there are no such limitations exist under EU law. For these reasons, the CJEU declared the decision invalid. Critics are now saying that the decision will lead to the Balkanisation of the Internet, fearing a future with ‘each country with its own Internet, gated off legally and governed by its own privacy laws‘. More details: full judgment; court’s press release; reactions by Max Schrems and others.