US data protection safe harbor declared invalid by European Court of Justice

Data Protection, Privacy and Security Alert

Today, in a groundbreaking decision, the Court of Justice of the European Union (CJEU) declared the US Safe Harbor scheme to be invalid, as well as confirming that individuals have the right to challenge any similar schemes that may be established by the European Commission through their national data protection authorities.

The US Safe Harbor framework was established 15 years ago to provide a mechanism by which European businesses could validly transfer personal data from the EU to the US. The framework has been widely adopted, with over 5,000 companies currently using the scheme to support the free flow of data across the Atlantic. It is commonly adopted to support data transfers in intra-group operations (for example, to assist a US parent in managing EU based activities) and outsourced services involving a US cloud or software-as-a-service (SAAS) provider.

The CJEU’s decision will have a significant and immediate impact for any business relying on Safe Harbor to enable these operations and will require a change in approach to cross-border data transfers.

The Commission confirmed today that it is working with member state data protection authorities on how to deal with transfers in light of the decision, in order to avoid a potential patchwork of contradictory DPA interpretations. It further expressed confidence in its efforts to negotiate a reform of the safe harbor with US negotiators.

Find out more about this dramatic change.