The ECJ v DPC Ruling on the Safe Harbour Scheme

Data location and protection has been at the forefront of our minds recently. Last week the Weltimmo case saw a landmark ruling passed – ensuring companies are held to the standards of the country they are operating in – despite where they may claim to be operating from.

This week we see a fresh case come to light, with the safe harbour scheme coming to the forefront. Here’s a brief rundown of the case, and its results.

[easy-tweet tweet=”Safe harbour is dead.” user=”rhian_wilkinson” hashtags=”cloudlaw, dataprivacy”]

As is the case with other subscribers residing in the EU, some or all of the data provided by users to Facebook is transferred from Facebook’s Irish subsidiary to servers located in the United States, where it is processed.

Maximillian Schrems, a Facebook user since 2008, and an Austrian citizen, lodged a complaint with the Irish supervisory authority (the Data Protection Commissioner), taking the view that, in the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the NSA), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country.

The Irish authority rejected the complaint because in a decision of 26 July 2000, the Commission considered that, under the ‘safe harbour’ scheme, the United States ensures an adequate level of protection of the personal data transferred. i.e. Mr Schrems had no reason to be making his complaint.

But now, the case has been brought before the High Court of Ireland, and the Court has declared the Safe Harbour Decision invalid. This judgment has the consequence that the Irish supervisory authority is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

To simplify – Mr Schrems has brought a hell of a lot of attention to the fact that the United States may not be respecting EU citizen’s data privacy rights – and the High Court of Ireland has acknowledged his fears, and said they’ll look into it.


Ashley Winton, UK head of data protection and privacy at international law firm Paul Hastings, comments on the European Court of Justice’s landmark Schrems v DPC ruling.

“The ECJ’s Schrems v Irish Data Protection Commissioner ruling has serious repercussions for multi-national companies with operations in Europe. 

Data Protection law in Europe provides that personal data may not be exported out of Europe unless certain conditions are met.  More than 4000 US companies have so far enjoyed using the ‘safe harbor’ rules agreed between the European Commission and the US Department of Commerce which permit the easy transfer of personal data from Europe to the US.

Many European data protection regulators, particularly those in Germany, have long believed that the conditions of the safe harbour scheme are not substantial enough and the effect of today’s ruling will empower them to investigate and check the acceptability of any data transfer themselves.

In addition, although the case today primarily concerns safe harbour the ruling will also apply to other European Commission approved methods of transferring personal data internationally. 

Crucially, this case cannot be considered alone. Following the landmark case of Weltimmo last week, multinational companies that have elected to create an establishment in a more business-friendly jurisdiction are now likely to have their data protection practices scrutinised by local regulators all across the EU.

There are currently no rules limiting individuals bringing complaints regarding data protection across multiple jurisdictions simultaneously, so we may now see these complaints springing up from every direction, where data is being shared around the world.”


It’s been an exciting week for EU data – are any of you enjoying this as much as me?

+ posts

Meet Stella


Related articles

Strategy and anticipation are key to securing against cyber threats

With technological progress comes increased security risks. Sophisticated and co-ordinated cyber groups are working every day to find potential entry points into organisations’ networks.

Raising talent attraction and retention with IT investment

To be at the centre of talent attraction and retention, businesses should make use of workplace technology that enables them to integrate collaborative, secure and sustainable measures into their operations.

How NIST started the countdown on the long journey to quantum safety

Leading the charge to develop a post-quantum cryptographic standard for organisations is the US government’s National Institute of Standards and Technology (NIST).

Overcoming economic uncertainty with cloud flexibility

Particularly for companies that jumped into the cloud headfirst, taking the time to optimise existing processes is a remarkable way to reduce infrastructure costs and free up OPEX for delivering business value.

“The need for speed” – Finding a way to unlock agility for today’s businesses 

To fully support agility, the solutions chosen will need to enshrine all the latest innovations in areas like artificial intelligence, machine learning or prescriptive analytics.

Subscribe to our Newsletter