On 6 October 2015, the CJEU delivered its judgment on a preliminary reference from an Irish court in matter of data protection.
An Austrian user of Facebook made a complaint to the Irish Data Protection Commissioner, asking the authority to prohibit Facebook Ireland from transferring his personal data to the United States, because of the non-adequate level of data protection in the country. The Commissioner rejected the complaint, pursuant to the Commission’s Decision 2000/520, the “Safe Harbour Agreement” which consider adequate the U.S. data protection law.
The Irish High Court reviewed the Commissioner’s decision, and asked the CJEU to rule on whether the Commissioner was absolutely bound by the Commission’s decision on US law, and whether the Commissioner should instead carry out its own review of US law.
The CJEU ruled that the Data Protection Directive must be interpreted as meaning that a Commission decision does not prevent a national authority from examining a claim from an individual about the level of data protection.
The Court also examined whether the Commission’s decision complied with the Data Protection Directive and the EU Charter of Fundamental Rights, concluding that it was invalid, because the Commission did not state that the United States in fact ‘ensures’ an adequate level of protection by reason of its domestic law or its international commitments.
A new Safe Harbour Agreement is currently being negotiated between U.S. and EU. In the meanwhile, the transfer of European data to the U.S. could be made under model contract clauses.