In the judgment dated 6th October 2015, the Court of Justice of the European Union (CJEU) invalidated the European Commission’s decision 200/520/CE, which contemplated that the United States guaranteed an adequate level of protection of the transmission of personal data on European citizens. Said judgement clearly affirms that European citizens’ personal data stored by American companies do not posses a level of protection similar to that provided by the European Union due to the adhesion to the “Safe Harbour”.
By virtue of the Directive 95/46/CE of 24th October 1995, on the protection of individuals with regard to the processing of personal data and their free circulation, personal data may only be transferred to a third country when it can guarantee an adequate level of protection. The European Commission may declare that a third country guarantees an adequate level of protection regarding its internal regulations or its international commitments, as declared in said Decision 200/520/CE, regarding the United States.
The CJEU considered that the Decision 200/250/CE should not render ineffective nor limit the national authorities’ faculties on data protection. Furthermore, the CJEU also pointed out that no provision of the European directives in the field prevents national authorities from controlling the transfer of personal data to third countries object of the Commission’s decision. In turn, the CJEU also declared that said Decision is invalid as the Commission did not verify whether the United States possessed a protection system within the scope of personal data protection comparable to that of Europe.
The immediate effect for companies of said declaration is that, henceforth, the transfer of personal data between Europe and the United States will have to be approved by the state administrative authorities. In Spain, an approval from the Director of the Spanish Data Protection Agency will be required.
Finally, it is expected that at the beginning of 2016 a General Regulation of the EU on Data Protection shall be approved, the objective of which is to provide companies that manipulate EU citizens’ data with a range of tools in order to adapt their regulations to the European legislation. Through this regulation, the aim is to unify different Member States’ legislations so that they provide companies with simpler business procedures in which the legal obligations in the field of data protection are defined.
Vilá Abogados
For more information, please contact:
13th November 2015
