On October 6, 2015, the Court of Justice of the European Union (CJEU) (the EU’s highest court) invalidated the U.S.-EU Safe Harbor framework that has defined the privacy standards for transfer of personal data from the EU to the U.S. since 2000. European law prohibits transfer of European citizens’ personal data to other countries unless those countries guarantee adequate levels of protection. The U.S. Department of Commerce (Federal Trade Commission) and European Commission jointly developed and sanctioned the Safe Harbor framework as a compliant standard for transfer of European personal data, and thousands of organizations have relied on the Safe Harbor framework to craft data privacy practices and policies. Now, according to a recent EU advisory statement, “transfers that are still taking place under the Safe Harbor decision after the CJEU judgment are unlawful.”

The CJEU’s decision stems from a case brought by an Austrian national against Facebook in Ireland (the site of Facebook’s international headquarters), alleging that the Safe Harbor failed to protect European citizens’ privacy rights in light of large-scale U.S. intelligence surveillance activities revealed by Edward Snowden in 2013. A full text of the ruling is available here. As a result of the decision, multi-national companies, even those that have self-certified using the FTC’s form, can be found liable for violating the EU’s directive and the various data privacy laws of individual European nations. This affects both intra-organizational data transfers and transfers to third party service providers involving the personal data of EU citizens.

While the FTC has acknowledged the decision, it recently issued an advisory stating that it would continue to process submissions for Safe Harbor self-certification. It is not certain what, if any, benefit self-certification will now provide. To avoid the risk of liability, multi-national companies that continue to transfer and process European citizens’ personal data may need to use Standard Contractual Clauses for each transfer, adopt EU approved Binding Corporate Rules or obtain other authorization. Without these safeguards, companies risk exposure to legal action resulting in monetary fines and/or prohibition on data transfers from the EU to the U.S. Companies that have relied on the Safe Harbor to transfer European personal data to the U.S. are invited to contact us to discuss alternative measures for compliance.