EU Court Declares Safe Harbor Data Transfer Agreement Invalid

October 7 2015

Since 2000, the United States and the European Union have operated under a "Safe Harbor" policy agreement that permitted US companies to transfer personal data of EU citizens under a streamlined set of guidelines in satisfaction of the European Commission's Directive on Data Protection. On October 6, 2015, the Court of Justice of the European Union ruled that national regulators can override the Safe Harbor pact, holding that the Safe Harbor agreement violates the privacy rights of EU citizens due to allegedly indiscriminate surveillance by the US Government.

This ruling calls into question the framework currently used by approximately 4,500 companies that have opted into the Safe Harbor program, under which such companies have hosted and shared the data of EU citizens, including suppliers, customers, and employees. Under the previous Safe Harbor framework, all EU member states were bound to honor the Safe Harbor program, US companies (as well as EU companies operating in the US) that were certified under the program were recognized as providing "adequate" privacy protection under the European Commission's Directive on Data Protection, and compliance with the Safe Harbor principles were reviewable and enforceable within the US legal system. With the Court of Justice's ruling, each EU member state's national regulators now have ability to scrutinize the data practices of a given company under that member state's law, and to enforce any violations in European courts.

Without a comprehensive agreement, the regulatory environment in Europe faces potential fragmentation and complication, which in turn could raise the cost of compliance. While other methods for legal data transfers involving the personal data of EU citizens do exist, they are more cumbersome than the requirements of the Safe Harbor program. Ultimately, any US business that handles the data of EU citizens, or utilizes US-based cloud services to host such data, should contact counsel to review any contracts that relate to such data to ensure they conform to EU member state requirements or are otherwise approved by relevant regulators.

If you have any questions about data privacy and regulatory compliance, please contact one of our information technology attorneys. Click here to view the full text of the ruling of the Court of Justice.

Firm Highlights
News

David W. Sweeney Interviewed in Realtime REALTOR® Podcast on Changes to Elections in the City of St. Louis

More
News

Kansas City Office of Lewis Rice Names New Member

More
Diversity & Inclusion

Two Lewis Rice Members Selected for Leadership Council on Legal Diversity Programs

More
News

Lindsay S. C. Brinton and Meghan S. Largent Negotiate $1.4 Million Settlement for Landowners along Legacy Trail

More
Client Alert

Employers, Start Planning Now – Get Ahead with the Upcoming H-1B Cap Season

More
News

Lewis Rice Names Brian J. Figueroa Member of the Firm

More
Client Alert

Supreme Court Decision Provides Good News for Creditors

More
News

Paul R. Himmelstein Joins Lewis Rice Kansas City Office

More
News

David W. Sweeney Named to Missouri’s POWER List for Lawyer-Lobbyists by Missouri Lawyers Media

More
Diversity & Inclusion

Apollo Carey Selected for Leadership Council on Legal Diversity’s (LCLD’s) 2021 Fellows Program

More
News

Lewis Rice Wins Significant Victory for Atlanta Landowners Impacted by the Belt Line Rail-Trail

More
Diversity & Inclusion

Jerina D. Phillips Selected for Leadership Council on Legal Diversity’s (LCLD’s) 2021 Pathfinder Program

More
Client Alert

New York State Regulator Discourages Ransomware Payments and Publishes New Cyber Insurance Risk Framework

More
News

Jerina D. Phillips Offers COVID-19 Vaccination Advice for Employers in St. Louis Magazine Article

More
News

Jeremy P. Brummond’s Article on Waivers of Consequential Damages is Published in Construction Executive

More
Client Alert

City of St. Louis 2021 Primary Municipal Election: Meet the Candidates

More
Client Alert

Have You Done Your Annual CCPA Housekeeping?

More
Diversity & Inclusion

Fatima G. Khan Elected President of South Asian Bar Association of Metropolitan St. Louis

More
Client Alert

Virginia Passes Sweeping Data Privacy Legislation Similar to CCPA and GDPR

More
News

Brian P. Pezza Discusses Vaccination Considerations for Employees in Society for Human Resource Management (SHRM) Article

More