What does this cover?

The ECJ has ruled that the Safe Harbor regime is no longer considered to provide adequate protection for personal data transfers from the EEA to the USA.

On 23 September 2015 the Advocate General (AG) delivered a non-binding Opinion in the case of Maximillian Schrems v Data Protection Commissioner (Case C‑362/14).

Today has seen the adoption of the AG's recommendations, with the ECJ ruling that: 

  • when dealing with a complaint,  national supervisory authorities must be able to examine, with complete independence, whether the transfer of a data subject's personal data to a third country outside of the EEA complies with the requirements laid down by the Directive; and  
  • the Commission Decision (2000/520/EC of 26 July 2000) that confirmed the adequacy of the protection provided by Safe Harbor principle is invalid, due to the inadequate protection it gives to EU personal data.

DACB's full briefing on this can be found here

What action could be taken to manage risks that may arise from this development?

Companies should:

  • carry out an audit of all existing contracts involving the transfer of personal data from the EU to the US under Safe Harbor;  
  • prioritise suppliers on the basis of volume and sensitivity of personal data;  
  • if presented with Model Clauses agreements from US suppliers, European companies should:  
  • ensure the correct version has been provided depending on the designation of the service provider as a data controller or data processor;  
  • assess the security measures appended to the Model Clauses against its own IT security standards; and  
  • ensure that the processing description schedule accurately reflects the personal data and the purposes for which it is transferred.