Not So Safe: CJEU Follows Advocate General's Opinion, Declaring Safe Harbor Invalid

Background

On 23 September 2015, Advocate General (AG) Bot found that the Safe Harbor framework, which allowed for the "safe" transfer of personal data from the EU to the US, did not provide sufficient guarantees for the protection of the rights of EU citizens. See our previous article on the AG Opinion. The Court of Justice of the European Union (CJEU) has now followed the AG Opinion and declared Safe Harbor invalid.

The CJEU Decision

The CJEU highlighted shortcomings of the Safe Harbor framework, particularly in light of the Edward Snowden revelations. It emphasised that the scheme is only applicable to US undertakings which adhere to it, and that public authorities are not only not subject to it, but that national security, public interest and law enforcement requirements prevail over the scheme and must disregard the protective rules where they conflict with such requirements. The CJEU stated that such disregard can be seen as "compromising the essence of the fundamental right to respect for private life" and that blocking an individual's right to pursue legal remedies in such an instance "compromises the essence of the fundamental right to effective judicial protection".

What now?

The CJEU's ruling is final and cannot be appealed. Data protection authorities of the EU Member States will now have to determine whether transfers of personal data to the US pursuant to Safe Harbor are to be suspended on the grounds that the US does not afford an adequate level of protection of personal data. The EU and the US have recently been renegotiating the Safe Harbor framework and this decision will either shake (and speed) up their negotiations or derail them.

Impact on business

Those businesses (approximately 4,500) that currently rely on Safe Harbor will need to reconsider their options for transferring data to the US. Companies operating in more than one Member State will need to monitor the responses to the CJEU decision of all data protection authorities in those states in which they operate, as different authorities may adopt different positions. For example, some data protection authorities may adopt a generous grace period, but some may take a stricter approach.

Although companies should avoid knee-jerk reactions, as a first step current data flows regarding US data transfers should be immediately reviewed and alternative methods of transfer—such as Model Contractual Clauses—should be considered.

After enjoying a "Safe Harbor" for the last 15 years, it seems that companies are now to experience some choppy waters ahead.

Please contact Cooley's London Privacy & Data Protection team, which is led by partners Ann Bevitt, Mark Deem and Sarah Pearce to clarify options in light of the ruling and practical alternatives to suit your business needs. They offer multi-disciplinary depth and breadth of experience to clients in data protection, privacy by design, data breach management, incident response, breach preparedness, and related litigation, especially in large breaches and those with multi-national issues.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.