Europe's Highest Court Invalidates U.S.-EU Safe Harbor Regime

October 6, 2015 Advisory

The European Court of Justice (ECJ) today invalidated the transatlantic Safe Harbor Regime that permits U.S. companies to transfer consumers’ and employees’ personal data from Europe to the United States under a presumed level of "adequate" privacy protection. Although the ruling doesn’t order an immediate end to such transfers, it does permit EU regulators to stop them if they feel that privacy protections are inadequate. 

One possible consequence of today’s decision is that U.S. companies might be forced to house their employee or customer data on servers located in Europe and quickly become familiar with multiple regulatory environments. 

The Safe Harbor Regime, an agreement approved by the EU in 2000, has been used by some 4,000 U.S. and EU companies, including Apple Inc. and Alphabet Inc.’s Google. The agreement has been a mechanism for participating corporations to protect themselves from interruptions in their transatlantic business and prosecution by data protection authorities (DPAs) in individual European countries under their applicable privacy laws. The agreement created a voluntary program, whereby corporations self-certify annually that they are abiding by the regime’s seven principles of privacy protection (Privacy Principles) and publically declare that they do so.1 

Today’s decision stems from a 2013 complaint, known as the Facebook case, which was filed with the Irish DPA. The plaintiff, privacy activist Max Schrems, alleged Facebook violated his privacy rights by permitting his personal data to become subject to one of the mass surveillance programs of the U.S. National Security Agency. Although the DPA initially rejected the case, Schrems appealed the matter to the Irish High Court, which in turn referred to the ECJ the specific question of whether the respective country DPAs have the authority to investigate and suspend transfers of personal data under the Safe Harbor Regime without limitation by the EU Commission. Today, the ECJ has answered that question in the affirmative. But the ECJ went a step further and actually declared the 2000 implementation of the Safe Harbor Regime invalid, nullifying its legal basis. 

Accordingly, in addition to the economic cost created by the uncertainty and disruption, today’s decision has significant practical and legal consequences for the many U.S. corporations that are (at times daily) transferring personal data from the EU to the U.S. The decision will certainly light a fire under the negotiations between the European Commission and the U.S. Commerce Department to reform the Safe Harbor Regime, which likely means additional compliance challenges for companies. 

Further, corporations that do not have good contingency plans in place could find themselves flat-footed and arguably in violation of various European countries’ data privacy laws. There are alternatives to the Safe Harbor Regime if you are one of the 4,000 corporations currently relying upon it as the legal basis for the transfer of personal data from the EU to the U.S., including obtaining explicit and fully informed consent from the data subject, implementing binding corporate rules for intracompany transfers, executing pre-approved model contracts between the data exporting and importing entities, and pursuing ad hoc adequacy determinations by the relevant DPAs. 

In light of the swiftly changing sands in the data privacy/protection landscape, members of Armstrong Teasdale’s Privacy and Data Security Group will continue to closely monitor the situation. 

The seven Privacy Principles of the Safe Harbor Regime are notice, choice, onward transfer, access, security, data integrity, and enforcement.

Contact Us
  • Worldwide
  • Boston, MA
  • Denver, CO
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • New York, NY
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
Worldwide
abstract image of world map
Boston, MA
225 Franklin Street
26th Floor
Boston, MA 02110
Google Maps
Boston, Massachusetts
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
3405 W. Truman Boulevard
Suite 210
Jefferson City, MO 65109
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
3770 Howard Hughes Parkway
Suite 200
Las Vegas, NV 89169
Google Maps
Las Vegas, Nevada
New York, NY
919 Third Ave., 37th Floor
New York, NY 10022
Google Maps
New York City
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
257 East 200 South
Suite 350
Salt Lake City, UT 84111
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri