On 6 October 2015, the European Court of Justice declared the European Commission’s Decision 2000/520/EC of 26 July 2000 (the “Safe Harbor Decision”) invalid.
The Safe Harbor Decision stipulated that under the “safe harbor” scheme, i.e. the principles regulating the protection of personal data applied voluntarily by the United States undertakings for secure data transfer, the United States provides for a level of protection of personal data that is adequate when compared to European standards in accordance with the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. This decision of the European Court of Justice may have some far-reaching implications on the future conditions for transfer of personal data to countries that do not guarantee the same level of protection as EU members and signatories of the Convention for the Protection of Individuals with regards to Automatic Processing of Personal Data (the “Convention”).
The safe harbor agreements allowed approximately 4,500 United States undertakings, including Google and other IT giants, to legally transfer user, customer or employee data from Europe to the US by offering adequate protection of personal data. However, in light of the Edward Snowden’s leaks regarding mass surveillance of personal data by the National Security Agency (the “NSA”), it was clear the US is not capable of adhering to the strict requirements set out in European regulations. Hence, the Court found that “the existence of the Safe Harbor Decision finding that a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the Charter of Fundamental Rights of the European Union and the directive”. The main practical implications of this ruling for American undertakings are twofold: (i) they may be subject to adapting to a number of different data protection regulatory environments and (ii) they may face considerably higher inspection from individual national data regulators in Europe with regard to conformity of data transfer procedures with European legislation.
Similar to EU provisions, the Serbian Data Protection Act provides that personal data may be transferred to a third country only if such third country provides for at least identical level of personal data protection in accordance with the Convention. Any transfer of personal data to those third countries is preconditioned by the approval of the Serbian Data Protection Commissioner. Although Serbia is not part of the European Union, the Serbian Data Protection Commissioner has in practice shown strict adherence with the European standards and has insisted on applying the highest level of protection of personal data. With the decision of the European Court of Justice, the Serbian Data Protection Commissioner may be inclined to impose more rigorous requirements on transfer of personal data to the US, and perhaps, even start denying its approval to safe harbor agreements. Needless to say that this could have devastating implications for any United States’ undertaking wishing to transfer personal data to US since it would be faced with finding new and innovative solutions to circumvent the mandatory preconditions existing in the Serbian law.
By Milan Samardžic, Partner and Nikola Kasagic, Senior Associate, SOG / Samardzic, Oreski & Grbovic