On October 6, 2015, the Court of Justice of the European Union ruled that the EU-US Safe Harbor arrangement is invalid. The Safe Harbor Principles, which have been in effect since 2000, enabled US companies to import personal data from EU countries without violating EU data protection laws.

Privacy and data protection laws have been highly developed in EU member states. All of the member states are signatories to the European Convention on Human Rights, which provides protection for – among other things – "private and family life." In 1998, recognizing that data protection laws in the member states were diverging, the European Commission issued Directive 95/46/EC (the "Directive") to create a comprehensive data protection system throughout the EU. Shortly thereafter, the U.S. Department of Commerce, working with the European Commission, developed the Safe Harbor Principles. Information transferred to U.S. companies that self-certified compliance with the Safe Harbor Principles was deemed to remain subject to protections that were "essentially equivalent" to the protections afforded under the Directive. Over 4000 US companies took advantage of the selfcertification process under the Safe Harbor Principles.

The Safe Harbor Principles have been criticized as being inadequate almost from their inception. The issue finally came before the Court of Justice of the EU as a result of a case filed in Ireland by an Austrian citizen, Maximillian Schrems. Schrems complained that Facebook violated his privacy rights by allowing US intelligence officials unlimited access to his information. The Irish court asked the EU court whether, in light of the Safe Harbor Principles, the Irish court had the authority to investigate Schrems' complaint. The EU Court held that the Irish Court had an obligation to investigate claims like Schrems' and that the Safe Harbor Principles were invalid because they allowed US law enforcement and intelligence officials unfettered access to protected data and, therefore, were not "essentially equivalent" to the protection afforded under EU law. This EU ruling applies to everyone (not just the parties to the case), cannot be appealed, and became effective immediately.

Without the Safe Harbor Principles, US companies must develop alternate methods to comply with EU data protection laws. In the short term, that most likely means using model contract clauses that have been approved by the European Commission, although such clauses probably will not provide the level of protection for US companies that was previously available under the Safe Harbor Principles. In the longer term, multinational groups of companies can adopt Binding Corporate Rules ("BCRs") governing transfers of personal data within the group. BCRs must be approved by the data protection authorities in the EU countries from which data will be transferred and are not effective with respect to transfers to entities outside the company group.

Stay tuned:

  • The European Commission is expected to issue post-Safe-Harbor guidance soon.
  • The U.S. Department of Commerce has been negotiating a revised Safe Harbor arrangement with the European Commission for about two years. A proposed draft is expected to be issued within the next several months.
  • The European Commission is currently working on a General Data Protection Regulation ("GDPR"), which would replace the Directive. The Commission issued a draft of the GDPR in January 2012, which addressed globalization and technological developments that have occurred since the adoption of the Directive, such as social networks and cloud computing. Adoption of the GDPR is targeted for 2017, with a 2-year implementation period thereafter.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.