On October 6, 2015, the European Court of Justice (ECJ) issued a ruling invalidating the U.S.-EU Safe Harbor Framework (Safe Harbor). The ruling immediately impacts companies that have relied on Safe Harbor certification for authority to transfer data from the European Union to the United States for processing, as well as companies that use vendors or suppliers that have relied on the Safe Harbor.
EU law requires that the transfer of personal data to a third country may occur only if the third country ensures adequate protection of that data. A European Commission decision in 2000 declared that the United States’ laws and policies provided adequate protection.
Following a nonbinding opinion on the case by the ECJ’s Advocate General, the ECJ made two major determinations in today’s ruling:
- The European Commission decision authorizing the Safe Harbor is invalid.
- Each of the 28 national data protection authorities (DPAs) has complete independence from the European Commission to consider challenges to the adequacy of data protection by the United States and individual U.S. companies.
Impact of the Decision
The decision immediately removes the presumption of adequate protection by companies in the United States in two ways. First, the Commission’s determination that the United States has adequate data protection is no longer valid. Second, the determination of adequacy for a U.S. company through self-certification is also no longer valid.
The decision will severely impact companies that have relied on Safe Harbor certification for authority to transfer data from the EU to the U.S. for processing, as well as companies that use vendors or suppliers that have relied on the Safe Harbor. Additionally, there are no longer strong restrictions on when a DPA can suspend data transfers. As a result, DPAs can immediately suspend data transfers during an investigation, even before a determination of inadequacy has been made.
What This Means to You
Companies affected by this decision should work quickly to establish alternative means of data transfer. Options to consider include model contract clauses, binding corporate rules and consent for non-employee data transfers.
Read the press release from the European Court of Justice.
Read the full text of the October 6, 2015, ECJ ruling.