The Garante della Privacy (the Italian Data Protection Authority) has recently adjusted to the judgment of the Court of Justice of the European Union of 6 October 2015. The High Court of Ireland had referred to the CJEU to decide on a case filed by an Austrian activist, who was concerned about the fate of his personal data posted on a well-known American social network. The CJEU had then declared the Safe Harbour system (i.e. the system regulating the transfer and the exchange of personal data between the European Union and the United States) to be invalid, as not compatible with the EU legislation (in particular with the so called “Data Directive”) concerning the protection of personal data.
The Safe Harbor system is a mechanism aimed at strengthening commercial activities by facilitating the exchange of personal information between the two sides of the Atlantic, and designed to adequately protect said information. It had been arranged through the European Commission Decision 2000/520 / EC and was based on a self-regulatory mechanism (which implies voluntary compliance by US organizations and/or companies with the seven principles of ”safe harbour”) and on self certification of the adhesion to these principles by the organizations and/or companies. According to Decision 2000/520 / EC, the safe harbuor principles were considered capable of ensuring an adequate level of personal data protection and, therefore, adherence to these principles alone was in itself enough to ensure the observance of the “Data Directive” provisions.
After having stayed proceedings, the High Court of Ireland had referred two questions to the CJEU concerning: a) the scope of the powers of the independent national data protection authorities and b) the validity of the Safe Harbour system as a whole. As to the first question the CJEU responded by saying that the individual national data protection authorities are vested with control powers over compliance of such transfers with the provisions of the “Data Directive”; as to the second question the CJEU ruled that the judicial system of a third State is considered capable of ensuring an adequate level of personal data protection, if it ensures a protection equivalent to that guaranteed in the E U.. In this context, the Court criticized the Decision 2000/520/EC for several reasons, among which there is the applicability of the principles of Safe Harbour only to organizations that have adhered to them and not to the US public authorities who are not bound to compliance with them, and who, therefore, may access the data of European users under any circumstance after those data have been transferred to the United States through the “Safe Harbour” system. This circumstance is seriously incompatible with the level of protection of the fundamental rights guaranteed in the European Union, which is rather protective also as far as privacy is concerned.
Therefore, the Italian Garante has ordered the termination of its authorization ‒which had been applied on the basis of the Safe Harbour principles‒ and prohibited data exporters to transfer personal data from the Italian territory to the U.S.A.. This is evidently a necessary act since the prerequisite of legitimacy of those transfers no longer exists.
The same Authority ‒in reserving to carry out controls to verify the legality and correctness of data transfers by those who export data‒ has naturally pointed out in its decision that the transfer of personal data to a non European Country can be made on the basis of further legitimate tools, such as, for example, the standard contractual clauses or rules of conduct adopted within the same group (the so called BCR, Binding Corporate Rules).
(Bologna Office – Stefano Campogrande – 0039(0)51 2750020)
