Today the European Court of Justice (“ECJ”) issued its judgment in the Max Schrems case in which it declared the European Commission’s decision on Safe Harbor as invalid. The Commission’s decision in 2000 found that companies participating in the US Department of Commerce Safe Harbor framework were operating under an “adequate” data protection regime and could thus rely on the Safe Harbor as a permissible basis to transfer personal information from the EU to the US. The judgment comes less than two weeks after the publication of the opinion from Advocate General Bot in which he advised that national Data Protection Authorities (“DPAs”) must be able to investigate an individual request to suspend data flows to the US by a company certified under the Safe Harbor scheme, and in which he also found the Safe Harbor scheme to be invalid.
In a press conference held following the publication of the judgment, the Commission confirmed that its objectives are: (i) to guarantee the protection of individuals’ personal data when transferred to the US; (ii) to step-up ongoing talks with US authorities about continuing transatlantic data flows and in particular, in respect of finalising a new Safe Harbor version 2.0; and (iii) to issue guidance to national DPAs to ensure a coordinated response to the ECJ’s judgment during this transitional period. Commissioner Vera Jourová said that transatlantic data transfers can continue under legal basis other than Safe Harbor.
Businesses relying on the US-EU Safe Harbor scheme, whether for intra-group transfers or for transfers from or to third parties, will need to reassess their international data transfer solution and decide whether to adopt alternative solutions such as Binding Corporate Rules or EU standard contractual clauses, or whether to rely on one of various derogations such as where the transfer is necessary to perform a contract or based on the individuals’ consent. Also, the Court’s judgment implies that DPAs will need to assess whether the level of protection in the US for a specific type of data transfer is “essentially equivalent” to the level of protection in the EU.