On October 6, 2015, the European Court of Justice (the European Union's highest court), struck down the US-EU Safe Harbor Agreement that previously provided companies to store personal data about Europeans on U.S. servers, and to transfer data to the U.S., without getting caught in Europe's web of country-specific privacy and data transfer rules. The Court's ruling threatens to wipe out 15 years of accepted business practices overnight.
From 2000 until this week's ruling, companies could internally control their data privacy activities as long as they certified that they were complying with the Safe Harbor Agreement. The Court ruled that this 15-year old self-certification system does not adequately protect Europeans whose data might be transferred out of the EU. Instead, the Court’s decision leaves it to each European country's regulators to evaluate all data transfer and protection systems under their respective jurisdictions. In essence, multinational companies must now comply on a country-by-country basis instead of relying on one allencompassing Safe Harbor.
So any business that previously used the US/EU Safe Harbor model to comply with EU privacy directives must reassess years of compliance practices. Moreover, the ruling may impact any U.S. business or company that collects, stores, or transfers data from the EU to the US, including data related to company employees working in the EU.