Safe Harbor Framework For Data Transfers Between U.S. and EU Invalidated
Earlier today, the Court of Justice of the European Union (CJEU) issued a decision in Maximillian Schrems v Data Protection Commissioner, declaring invalid the EU-U.S. Safe Harbor framework that provided a mechanism for businesses to transfer personal data of European citizens to the United States.
In the landmark decision, the CJEU ruled such transfers are prohibited by EU law unless they fall within certain legal exemptions or are authorized by the data protection authorities in the individual EU Member States. Thousands of American companies—especially technology companies or those with a substantial online presence—previously relied on the Safe Harbor to transact daily business.
The CJEU concluded that the Safe Harbor, which has been in place since 2000, does not adequately protect European citizens’ privacy rights because it does not prevent U.S. intelligence authorities from accessing data transferred from Europe. As the Court held, “national security, public interest, or law enforcement requirements have primacy over the safe harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them.” The Court further concluded that the Safe Harbor failed to provide EU citizens effective legal protections in the United States, and prevents EU authorities from intervening on behalf of citizens to address complaints about privacy infringements.
Today’s decision leaves the nearly 5,000 organizations that had relied on the Safe Harbor scrambling to consider alternative means by which data transfers can take place such as model contract provisions which ensure that personal information transferred receives an adequate level of privacy protection.
We will continue to cover developments in this story as businesses in the United States adjust their data policies and practices in response to the CJEU’s decision.