In a case now known as “Schrems,” the Court of Justice of the European Union ruled on October 6, 2015 that the EU-U.S. Safe Harbor program – which has been in place since 2000, allowing U.S. companies complying with the Safe Harbor principles to transfer personal data on EU citizens from the EU to the U.S. – is invalid. This ruling affects all businesses that transfer personal data from the EU to the U.S.
There have always been two other methods to legally circumvent the Data Directive’s prohibition against cross-border data transfer to the U.S. – Binding Corporate Rules and Model Contractual Clauses. But in the wake of the Safe Harbor ruling, European Data Protection Authorities are questioning these methods as well and advising that companies transferring personal data to the U.S. do a complete review of those data transfers, and consult with the relevant member-state Data Protection Authority in basically every instance.