EU Court Declares Safe Harbor Data Transfer Agreement Invalid

October 7 2015

Since 2000, the United States and the European Union have operated under a "Safe Harbor" policy agreement that permitted US companies to transfer personal data of EU citizens under a streamlined set of guidelines in satisfaction of the European Commission's Directive on Data Protection. On October 6, 2015, the Court of Justice of the European Union ruled that national regulators can override the Safe Harbor pact, holding that the Safe Harbor agreement violates the privacy rights of EU citizens due to allegedly indiscriminate surveillance by the US Government.

This ruling calls into question the framework currently used by approximately 4,500 companies that have opted into the Safe Harbor program, under which such companies have hosted and shared the data of EU citizens, including suppliers, customers, and employees. Under the previous Safe Harbor framework, all EU member states were bound to honor the Safe Harbor program, US companies (as well as EU companies operating in the US) that were certified under the program were recognized as providing "adequate" privacy protection under the European Commission's Directive on Data Protection, and compliance with the Safe Harbor principles were reviewable and enforceable within the US legal system. With the Court of Justice's ruling, each EU member state's national regulators now have ability to scrutinize the data practices of a given company under that member state's law, and to enforce any violations in European courts.

Without a comprehensive agreement, the regulatory environment in Europe faces potential fragmentation and complication, which in turn could raise the cost of compliance. While other methods for legal data transfers involving the personal data of EU citizens do exist, they are more cumbersome than the requirements of the Safe Harbor program. Ultimately, any US business that handles the data of EU citizens, or utilizes US-based cloud services to host such data, should contact counsel to review any contracts that relate to such data to ensure they conform to EU member state requirements or are otherwise approved by relevant regulators.

If you have any questions about data privacy and regulatory compliance, please contact one of our information technology attorneys. Click here to view the full text of the ruling of the Court of Justice.