Europe: European Court of Justice declares US Safe Harbour invalid

The EU Data Protection Directive imposes restrictions on the transfer of personal data outside the EU, with transfers permitted only if the relevant country provides an adequate level of protection or if the recipient entity can demonstrate it provides adequate protection, eg, by agreeing to the European Commission's model clauses or having an approved set of binding corporate rules in place. Another option, at least until very recently, was for the recipient to have subscribed to the US Safe Harbour Scheme. However, the European Court of Justice has recently ruled in Schrems v DPC that the US Safe Harbour Scheme is invalid.

The Court of Justice decided that the existence of the European Commission Decision 2000/520 in relation to the so-called US Safe Harbour (the "Safe Harbour Decision") did not prevent a national data protection authority from investigating individual complaints relating to the transfer of personal data to the United States; the Court further considered the Safe Harbour Decision itself and found it to be invalid.

As a result, businesses – chiefly US-based organisations – will no longer be able to rely on the US Safe Harbour Privacy Principles as ensuring an adequate level of protection to satisfy the requirements of the EU Data Protection Directive when transferring personal data outside the EEA.

The Court did not provide any transitional period for compliance. Nor did it provide any guidance on how organisations should react in the immediate aftermath of the ruling, for example, by stopping transfers of personal data relying on the Safe Harbour mechanism until alternative arrangements are in place.

The European Commission has been negotiating with the US authorities for some time regarding the introduction of a new, more privacy protective arrangement, and these negotiations can now be expected to be pursued with more urgency. However, in the meantime organisations which have relied on the Safe Harbour scheme will have to put in place quickly alternative compliance mechanisms, although the choice is limited.

Impact for employers

Organisations which transfer personal data (including of employees) to the US should urgently consider their response. For more details, including the position of various national data protection authorities, see our data protection update here.