On 6 October 2015 the Court of Justice of the European Union (CJEU) handed down its decision on Safe Harbor in the Schrems case. The Court agrees with the Advocate General and says that:

  • DPA Decision: the fact that the EU Commission had made a Decision (2000/520/EC) to approve the US Safe Harbor, does not prevent national data protection authorities from investigating claims in connection with it; and
  • Safe Harbor Decision: the Commission's decision (2000/520/EC) on Safe Harbor is invalid.

The ICO has subsequently issued a press release. It says that businesses should review how data is transferred to the US but that it recognises this will take some time. The ICO also reminds everyone that Safe Harbor is not the only basis for data transfers and that the ICO is considering the judgment in detail and working with counterpart data protection authorities in other EU member states to issue further guidance for businesses on the options available. Clearly, the message is: "Don't Panic". The Commission said the same thing in its press conference on 6 October.

There are currently 4,465 companies signed up to the self-certification Safe Harbor regime. Technically, the Safe Harbor data export permission no longer applies. Companies therefore need to find alternative legal bases for data exports from Europe to the US. The Commission in its press conference has said it is important that transborder data flows continue and that guidance will be published for EU businesses to ensure clarity and certainty. The Commission has also said that it is "well advanced" in agreeing a new Safe Harbor 2.0 package, but could not give any time frame for finalising this.