On 6th October, the European Court of Justice (ECJ) handed down a ruling invalidating a decision of the European Commission (Decision 2000/520) that recognised a procedure known as the Safe Harbour, whose aim was to allow the transfer of personal data to entities located in the United States of America.

Safe Harbour provided a set of principles and guidelines on their application in order to protect privacy, issued by the USA Department of Commerce. The principles were drawn up to facilitate trade and transactions between the USA and the EU in order to obtain a presumption of adequate protection of personal data. The American Department of Commerce certifies adhesion to the Safe Harbour principles.

The impact of this ECJ ruling, rejecting the Safe Harbour principles could be of enormous importance for all European entities with suppliers or servers in the United States that need to receive personal data on customers, users or employees in the European Union in order to be able to provide services.

The case began when an Austrian citizen, Maximillian Schrems, lodged a complaint demanding that Facebook Ireland be banned from transferring his personal data to the USA, where Facebook also has servers processing its data. Mr Schrems argued that there was insufficient protection of his fundamental right to privacy in the United States, referring to the revelations made by Edward Snowden regarding the activities of the USA information services.

The High Court in Ireland passed the case up to the European Court of Justice, which is competent to invalidate acts of the European Union, such as the Commission's decision to recognise the Safe Harbor principles.

The Court's analysis is based on the principle that the internal legislation and international commitments of the USA should guarantee a minimum level of protection to the fundamental rights and freedoms, substantially equivalent to that established in the European Union's Directive 95/46. With reference to this principle, the European Court of Justice ruling considered that the following aspects were grounds to invalidate the Commission's decision:

• It does not include a statement of the state rules limiting the interference by the authorities in the right to privacy for the data, and such interference is accepted when they affect legitimate interests such as homeland security.

• The Commission itself declared, in a communication sent to the European Parliament and Council in 2013, that the American authorities could access personal data and process them in a manner incompatible with the purposes for which the data were transferred, going beyond what was strictly necessary for the protection of national security. Thus, the ECJ considers that widespread access to such data, in the form of mass, indiscriminate surveillance of the content of emails, contravenes the essential content of fundamental rights regarding privacy.

• The arbitration mechanisms are limited to commercial litigation and cannot be applied to litigation on the legality of measures taken by the authorities. The Court deemed that there is no efficacious legal protection against interference from the authorities.

• It considered that it is abusive to not establish a possibility for those affected to have a right to access their personal data to rectify or eliminate them.

Reaction to the ruling was immediately forthcoming from the European data protection authorities, which issued a communication calling upon member states to initiate conversations with the American authorities in order to find political and technical solutions to enable data to be transferred to the United States while respecting fundamental rights. If the American authorities have not found a suitable solution before January 2016, and depending on the assessment of the transfer tools by the Working Group, the EU data protection authorities have undertaken to adopt appropriate and necessary measures, which may include coordinated actions in enforcing European law.