ECJ: Safe Harbor Agreement invalid

The ECJ has declared the Safe Harbor Agreement invalid. The general media also reported on this. The Safe Harbor Agreement is a legal construct to make the transfer of personal data to certain companies in the USA permissible. This is because every data transfer to a non-EU country requires justification under data protection law. If an online store operator therefore uses service providers in the USA, the data protection law-compliant structure should be checked. Many online store operators will be affected, for example, by the integration of Google Analytics or the operation of a Facebook fan page.

In addition to the Safe Harbor Agreement, there are two options in particular without the consent of the data subject: The respective contract with the data subject inherently requires a data transfer to the USA (e.g. delivery address in the USA) or a separate contract is concluded with the service provider in the USA. This contract must contain standard contractual clauses approved by the EU Commission. There are other options, but these do not generally appear to be expedient for online store operators.

With regard to Google Analytics, the opinion is held that when using the anonymizeIp function, no personal data (but only a non-personal part of the IP address) is transferred to the USA and therefore there are no concerns. However, this can also be assessed differently, especially when it is considered that the content of the anonymizeIp function is loaded by Google Inc. beforehand, meaning that Google Inc. has full control over whether anonymization takes place or not.

The data protection authorities have already announced a rigid approach and inspections in October and have pointed out the relevant fines (up to EUR 300,000.00).

Date: 9. Nov 2015