In a much anticipated decision, the European Court of Justice (ECJ) ruled today that the European Commission’s approval of the US-EU Safe Harbor self-certification program is invalid. Safe Harbor establishes a framework for legitimizing the transfer of EU personal data – including the personal data of EU employees, customers and website visitors – to the United States. The program is used by more than 4,000 US companies.

The decision also makes clear that national data protection authorities in Europe have the power to ensure that personal data is protected in accordance with the Data Protection Directive and the EU Charter of Fundamental Human Rights, and that this power cannot be restricted by a decision of the European Commission. The ECJ concluded that EU citizens’ fundamental right to privacy is at risk under the Safe Harbor program because US companies receiving EU personal data “are bound to disregard, without limitation” the protective Safe Harbor principles when those principles conflict with US national security, public interest and law enforcement requirements.

In its initial comments on the decision, the Commission has made clear that it is “at ease” with the ECJ decision, and has been working for some time to obtain significant improvements to the Safe Harbor program and will be redoubling their efforts to do so. It is possible that recent legislative changes in the US may help resolve some of the ECJ’s concerns. They also suggest that other adequacy mechanisms are available.

We will continue to monitor the Commission and Member State reactions and will issue further guidance as soon as the immediate and longer term implications of the ECJ decision become clear.

In the meantime, however, US and European companies currently relying on Safe Harbor to legitimize data transfers from the EU should consider whether alternative justifications (for example, on the basis of consent or contract) are adequate to cover the transfers in question.