US Safe Harbor Framework declared invalid

See our checklist addressing steps to consider now to legally transfer personal data to the US

Intellectual Property Update

Data Protection, Privacy and Security Alert

October 6, 2015, in a ground-breaking judgment, the Court of Justice of the European Union declared the US Safe Harbor framework to be invalid, and confirmed that individuals have the right to challenge any similar adequacy decisions that may be established by the European Commission through their national data protection authorities.

The US Safe Harbor framework was established 15 years ago to provide a mechanism by which European businesses could validly transfer personal data from the EU to the US. The framework has been widely adopted, with over 4,500 companies using the framework to support the free flow of data across the Atlantic. It is commonly adopted for data transfers needed to support intra-group operations (for example to assist a US parent in managing EU-based activities) and outsourced services involving a US cloud or software-as-a-service provider.

The decision of the Court will have a significant and immediate impact for any business relying on Safe Harbor to legitimize transfers and will require a change in approach to cross-border data flows.