Safe Harbour ruling ‘a signal from EU’ data must be respected

European Union’s data protection supervisor says relations with US at a crossroads

European Union  data protection supervisor Giovanni Buttarelli. Photograph: European Parliament

European Union data protection supervisor Giovanni Buttarelli. Photograph: European Parliament


A ruling by Europe’s top court invalidating certain data transfers to the US is a “signal from the EU” that citizens’ data must be respected, the European Union’s data protection supervisor has said.

Speaking in Dublin, Giovanni Buttarelli said Europe was at a crossroads following the ruling earlier this week of the European Court of Justice.

The court ruled on Tuesday the 15-year old “Safe Harbour” arrangement - which allowed about 4,500 US companies to expedite data transfers to the US - violated EU citizens’ fundamental rights to privacy and data protection.

Mr Buttarelli said the outcome of the case was “more than a landmark decision”. He said that on foot of the judgement and the strategic partnership which exists between the EU and the US , it was necessary to find a “new process”.

He said preliminary negotiations on a new legal instrument were under way to seek an interim solution and data protection authorities from EU member states would meet next week to discuss the implications of the ruling.

He said the court was “sending a signal to say that data protection is becoming more serious and therefore it has to be more seriously evaluated by all: data protection authorities, controllers and particularly the legislators”.

Mr Buttarelli said data controllers needed to be more aware and more accountable. “Controllers and processors subject to the EU law should respect our law,” he told an event at the offices of Institute for International and European Affairs.

The ECJ’s ruling earlier this week followed a complaint brought by Austrian law graduate and privacy campaigner Max Schrems to the Irish Data Protection Commissioner in 2013. He made the complaint after Edward Snowden claimed Facebook and other US companies were being forced to make their user data - including EU user data - available to US intelligence.

The complaint was brought to the Irish commission as it oversees Facebook and many other tech companies which have their EU and international headquarters in Ireland.

The Irish commission ruled it had no case to investigate as Safe Harbour, and its implementation, was solely a matter for the European Commission.

Mr Schrems took a judicial review at the High Court, which in turn asked the ECJ in Luxembourg for clarity.

On Tuesday, the ECJ ruled in favour of Mr Schrems and found the Irish body was not precluded, as it had claimed, from investigating his original complaint.

The ruling means the case will be returned to the High Court in Dublin which will instruct the Irish DPC to fully investigate Mr Schrems’ original complaint and whether its data transfers of EU member data should be suspended.