merrion street

I note today’s ruling by the Court of Justice of the European Union in the case of Maximilian Schrems v Data Protection Commissioner, in which the Court has declared that the European Commission's US Safe Harbour Decision is invalid and no longer provides a legal framework for the transfer of data between the EU and the US. 

This case has revolved around the question of whether the Safe Harbour mechanism has provided adequate protection to EU citizens when their personal data is transferred to the United States. At the heart of this matter is ensuring high standards of data protection for the citizens of the EU when their data is being transferred to the United States.

The Court's ruling that the Commission's Safe Harbour Decision is invalid changes the law. The judgement has clarified that it is now for the Data Protection Commissioner to revisit Mr Schrems’ complaint and carry out the necessary investigations.

In relation to Safe Harbour, the European Commission and the US have been in negotiations since 2013 on strengthening and revising the mechanism’s data protection safeguards. I have been urging both parties to agree a solution that will safeguard privacy and facilitate the lawful transfer of data from the EU to the US through this channel. I understand that good progress is being made and that agreement is close.

The transfer of data from the EU to the US is important to the business model of many players in the digital industry, and supports significant jobs and investment across the EU. Safe Harbour had provided a legal framework for such data transfer but it has been found to be unsatisfactory. While negotiations continue on its successor, there are alternative legal arrangements with appropriate privacy safeguards available to business, on which the Office of the Data Protection Commissioner can advise.

The EU and the US must take this opportunity to set robust global standards for the protection of personal data. The legitimate and safe use of personal data, and indeed the need for data transfer must always be balanced with strong standards for the protection for personal data. The EU and U.S. need to find this balance, one that can command the confidence and trust of both the citizen and business.