This week the Court of Justice of the European Union made a landmark ruling that the US – EU data sharing scheme known as “Safe Harbor” is invalid.
This followed a complaint by Max Schrems (an Austrian citizen and privacy campaigner) against Facebook that, in the light of the Edward Snowden revelations of 2013, once personal data is transferred to the US, the law of the US offered no real protection against surveillance.
The Court held that the Safe Harbor scheme can not trump the power of local Data Protection Authorities to investigate complaints. This was key to protect the fundamental right to data privacy contained in the 1995 EU Data Protection Directive (which must be read in light of the EU Charter of Fundamental Rights).
It also held that Safe Harbor was invalid as it failed to: (i) consider whether domestic US law provides adequate protection to data; (ii) include controls around the ability of US law enforcement agencies to access information held by US companies, and (iii) consider how European citizens might be able to redress inappropriate use of such powers. In other words there were architectural defects in the Safe Harbor regime.
This means that Safe Harbor is no longer a valid method for transferring data to the US. But there is no need to immediately panic or suspend all transfers to the United States! You should start assessing the position immediately. Further guidance from regulators has been promised in short order.