Germany: The European Court of Justice (ECJ) has ruled that the agreement on data protection between the EU and the US is invalid.
In a widely announced judgment, the ECJ has ruled that the agreement between the EU and the US on transmission of personal data to companies in the USA is invalid. This means that transmission of personal data is from now on illegal if based on this agreement.
The background to this decision is that transmission of personal data to companies outside the EU or the EEA is permissible only if the country where the company is located guarantees the same data protection as the EU or the EEA.
Until now this level of protection was guaranteed by the principles of the Safe Harbour Agreement. So far users and courts had assumed that, for companies which signed the agreement, adequate data protection in the USA was guaranteed.
The ECJ has now decided that the level of protection of the Safe Harbour Agreement is not sufficient, as the Agreement is not comparable with the EU Charter of fundamental rights. From the court’s point of view the provision which generally allows state authorities access to electronic communication violates Art. 7 of the EU Charter of fundamental rights, which guarantees the fundamental right to private life and the right to protection of personal data.
Conclusion: The ECJ ruling does not in general preclude transmission of data to companies from the US. But companies from the EU or the EEA have to examine from now on whether the level of data protection can be achieved by other instruments than the Safe Harbour Agreement – for example by using EU-standard contracts or binding corporate rules – or if the company should refrain from data transmission to companies from the US.
Source: European Court of Justice, judgment of 6 October 2015, C-362/14