On 6 October 2015, the EU Court of Justice invalidated the Safe Harbor decision previously issued by the European Commission (Decision 2000/520). The Decision recognized US Safe Harbor principles as offering an adequate level of protection for personal data and allowed for the lawful transfer of personal data from the EU to the US. This landmark ruling was issued in the case of Maximilian Schrems v Data Protection Commissioner (Case C- 362/14).

Safe Harbor was the US’s response to EU data protection laws which prohibit the transfer of personal data to a country outside the EU unless the country ensures an "adequate level of protection of personal data". Safe Harbor intended to provide an adequate level of protection.

The Court found the Decision to be invalid for several reasons, the most important of which being that the Decision contains various derogations from the level of protection, including some that allow Safe Harbor to be bypassed/ignored for US national security reasons. The Court, following its Advocate General, stressed that US public authorities’ access - on a generalized basis - to content in electronic communications  must be regarded as an invasion of privacy.

It will now be up to national data protection authorities of Member States to decide whether particular data transfers to the US receive an "adequate level of protection".

If personal data is transferred to US organizations, we recommend businesses in the EU to:

  • assess which safeguards were implemented to assure adequate protection; Safe Harbor is not the only means for a lawful transfer of data to the US; and
  • if Safe Harbor was relied upon, consider implementing other safeguards, such as obtaining the unambiguous consent of data subjects for the transfer or implementing binding corporate rules (BCR).

Entering into the so-called EU model contracts is another alternative. At this moment however, it is unclear how reliable the model contracts are since they contain a considerable limitation of the supervisory powers of national data protection authorities. In fact, the European Court listed this limitation as a key reason it invalidated the Decision.

Law: Court of Justice of the European Union, Maximilian Schrems v Data Protection Commissioner (Case C- 362/14)

Tom De Cordier