On 6 October 2015, the Court of Justice of the European Union (CJEU) declared the EU-US Safe Harbor framework invalid as a mechanism to legitimize transfers of personal data from the EU to the US.  This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful.

Safe Harbor was jointly devised by the European Commission and the U.S. Department of Commerce as a framework that would allow US-based organisations to overcome the restrictions on transfers of personal data from the EU.  Following a dispute between Austrian law student Max Schrems and the Irish Data Protection Commissioner, the CJEU was asked to consider whether a data protection supervisory authority was bound by the European Commission’s decision that Safe Harbor provided an adequate level of protection for European data.

In its ruling, the CJEU goes beyond this specific question and takes the view that Safe Harbor does not in fact provide an adequate level of data protection, because it is unable to prevent large-scale access by the U.S. intelligence authorities to data transferred from Europe.

What is the practical effect of the decision?

The decision invalidating Safe Harbor has the following consequences:

  • Transfers of personal data from the EU to the US currently covered by Safe Harbor will be unlawful unless they are suitably authorized by data protection authorities or fit within one of the legal exemptions.
  • Multinationals relying on Safe Harbor as an intra-group compliance tool to legitimize data transfers from EU subsidiaries to their US parent company or other US-based entities within their corporate group will need to implement an alternative mechanism.
  • US-based service providers certified under Safe Harbor to receive data from European customers will need to provide alternative guarantees for those customers to be able to engage their services lawfully. Our suggested plan of action

In the light of the CJEU’s judgment, our advice to organisations affected by it is as follows:

  1. Carry out a data transfers assessment to identify which data transfers from the EU to the US had been legitimized by Safe Harbor.
  2. Prioritise key transfers for the business by reference to the nature of the data and its use.
  3. For intra-group transfers, identify all of the entities involved and assess the most suitable alternative to Safe Harbor.  In the short term, this is likely to involve an interim contractual solution whilst more permanent mechanisms – such as BCR – are considered.
  4. For transfers to service providers, review any existing contracts for references to Safe Harbor and determine whether the relevant vendor is offering a suitable contractual option or is able to rely on a Processor BCR.
  5. US-based service providers should consider the most appropriate legal mechanism to enable customers to continue to use their services lawfully.