News & Press: Legal Updates

European Court of Justice Invalidates US-EU Safe Harbor

Tuesday, October 6, 2015  
Share |

European Court of Justice Invalidates US-EU Safe Harbor

In a judgment released today, the European Court of Justice invalidated the US-EU Safe Harbor, an agreement that allows for the transfer of European citizens’ PII to the US. More than 4,000 US companies relied on the Safe Harbor as a single set of rules governing transatlantic transfers of data. The Court found that the law and practice of the United States do not offer sufficient protection against surveillance of transferred data by public authorities.

The result is that US companies handling European citizens’ data may now be subject to regulation by many different national data protection authorities throughout Europe.

The ruling is in response to a case brought by privacy advocate Max Schrems alleging that Facebook violated his privacy by hosting data in the US that is subject to the NSA’s mass surveillance programs. The case was first brought in Ireland, where Facebook is headquartered in Europe, and Ireland’s data regulator rejected the case stating that it was bound by the Safe Harbor Agreement. Schrems appealed the case to the European Court of Justice and the ruling discussed here is the result of his appeal.

In a statement by US Secretary of Commerce Penny Pritzker, released today in response to the decision, the Department of Commerce expressed its dissatisfaction in the ruling, saying:

“We are deeply disappointed in today’s decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy…

…The court’s decision necessitates release of the updated Safe Harbor Framework as soon as possible…

…We are prepared to work with the European Commission to address uncertainty created by the court decision so that the thousands of U.S. and EU businesses that have complied in good faith with the Safe Harbor and provided robust protection of EU citizens’ privacy in accordance with the Framework’s principles can continue to grow the world's digital economy.”   

For the last two years, the US Department of Commerce and the European commission have been in negotiations to produce a new, stronger Safe Harbor framework and the product of these negotiations had been expected to be released by the end of the year.

Practical Guidance for Research Companies

It’s true that today’s ruling did invalidate the Safe Harbor effective immediately, but it’s likely that national data protection authorities understand that companies will need some time to assess their options and achieve compliance through another means. The UK Information Commissioner’s office released a comment to this affect today.

CASRO advises members to carefully review all transatlantic data transfers that previously relied on Safe Harbor for compliance with the European Data Protection Directive. Once you have identified these transfers, examine risk minimization options like obtaining consent to transfer the data to the US, using model contracts, de-identifying data before transfer, or eliminating transfer all together.

CASRO will continue to monitor this situation closely and provide updates as needed.

Community Search
Member Log In

Forgot your password?

Not A CASRO Member?

Latest News
Website Underwriters