1. Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim ofa person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
As a result, individual European countries can now apply their own regulations for companies’ handling of their citizens’ personal data when that data will flow to the US, creating enormous uncertainty for all contexts in which those transfers take place, which in the age of the Internet is almost all the time. EU countries can, if they wish, choose to suspend the transfer of data to the US, forcing companies to host personal data exclusively within Europe.
For most companies, this will mean a quick turn to “model clauses” executed between European “data controller” companies or affiliates and US “processor” companies, even though the logic of the decision — grounded in misunderstandings about US governmental surveillance of personal information — would if extended undermine both model clauses and binding corporate rules (BCRs). Consent of the individual — so fragile, revocable and temporary — is the only major basis for data transfers to the US that remains logically unscathed by this decision, because unlike model clauses and BCRs, it does not rely on fictitious protection of the individual from (mostly fictitious) surveillance.
There is, of course, a great deal more to say, and you have many other news sources, so I will end for the moment with this provocative question: Does this decision presage stronger global data protection, or the death of the nation state, or — for the world to work and data to keep flowing — a new regime of contract, i.e. not the model clauses, but contracts with the person at the center?