The European Court of Justice (EJC) has ruled (C 362/14) that the EU Commission cannot decide that the Safe Harbor scheme allows for transfer of personal data to the US.

The Court attaches importance to the fact that the Safe Harbor scheme yields to US security requirements; that EU citizens' personal data transferred to the US is therefore not protected against interference by the US authorities and that no effective protection against such interference is available.

The ruling implies that the Commission's decision concerning the Safe Harbor scheme is invalid. Consequently, it will be more difficult to transfer personal data to the US because it will no longer be possible to apply the Safe Harbor scheme as basis for a transfer of data to the US.
This will affect Facebook, being a party to the case, but it will also affect other IT giants in the US such as Apple and Google, and companies currently transferring data from the EU to the US based on the Safe Harbor scheme.


According to the personal data directive, personal data may only be transferred to countries outside the EU if these countries ensure an adequate level of protection.

In 2000, the Commission ruled that the US ensured an adequate level of protection when transferring personal data to the US according to the Safe Harbor scheme. The scheme is an agreement between the EU and the US concerning the principles of protection of personal data, and US companies can join the scheme.

The case started when an Austrian citizen, Maximilliam Schrems, complained about Facebook to the Irish data protection agency. The complaint was based on the fact that Facebook stores data on EU citizens on a US server.

In his opinion, this was illegal as Edward Snowden's revelations on the NSA's access to data in the US had proved that US legislation does not provide adequate protection of personal data.
The Irish data protection agency dismissed the complaint referring to the Commission's decision from 2000.

The matter was brought before the Supreme Court of Ireland, which requested the ECJ to verify the validity of the Commission's decision from 2000, in particular in the light of the development of the security of data stored in the US. The ECJ ruled that the Commission's decision concerning Safe Harbor was invalid.