Europe's Highest Court Invalidates U.S.-EU Safe Harbor Regime

October 6, 2015 Advisory

The European Court of Justice (ECJ) today invalidated the transatlantic Safe Harbor Regime that permits U.S. companies to transfer consumers’ and employees’ personal data from Europe to the United States under a presumed level of "adequate" privacy protection. Although the ruling doesn’t order an immediate end to such transfers, it does permit EU regulators to stop them if they feel that privacy protections are inadequate. 

One possible consequence of today’s decision is that U.S. companies might be forced to house their employee or customer data on servers located in Europe and quickly become familiar with multiple regulatory environments. 

The Safe Harbor Regime, an agreement approved by the EU in 2000, has been used by some 4,000 U.S. and EU companies, including Apple Inc. and Alphabet Inc.’s Google. The agreement has been a mechanism for participating corporations to protect themselves from interruptions in their transatlantic business and prosecution by data protection authorities (DPAs) in individual European countries under their applicable privacy laws. The agreement created a voluntary program, whereby corporations self-certify annually that they are abiding by the regime’s seven principles of privacy protection (Privacy Principles) and publically declare that they do so.1 

Today’s decision stems from a 2013 complaint, known as the Facebook case, which was filed with the Irish DPA. The plaintiff, privacy activist Max Schrems, alleged Facebook violated his privacy rights by permitting his personal data to become subject to one of the mass surveillance programs of the U.S. National Security Agency. Although the DPA initially rejected the case, Schrems appealed the matter to the Irish High Court, which in turn referred to the ECJ the specific question of whether the respective country DPAs have the authority to investigate and suspend transfers of personal data under the Safe Harbor Regime without limitation by the EU Commission. Today, the ECJ has answered that question in the affirmative. But the ECJ went a step further and actually declared the 2000 implementation of the Safe Harbor Regime invalid, nullifying its legal basis. 

Accordingly, in addition to the economic cost created by the uncertainty and disruption, today’s decision has significant practical and legal consequences for the many U.S. corporations that are (at times daily) transferring personal data from the EU to the U.S. The decision will certainly light a fire under the negotiations between the European Commission and the U.S. Commerce Department to reform the Safe Harbor Regime, which likely means additional compliance challenges for companies. 

Further, corporations that do not have good contingency plans in place could find themselves flat-footed and arguably in violation of various European countries’ data privacy laws. There are alternatives to the Safe Harbor Regime if you are one of the 4,000 corporations currently relying upon it as the legal basis for the transfer of personal data from the EU to the U.S., including obtaining explicit and fully informed consent from the data subject, implementing binding corporate rules for intracompany transfers, executing pre-approved model contracts between the data exporting and importing entities, and pursuing ad hoc adequacy determinations by the relevant DPAs. 

In light of the swiftly changing sands in the data privacy/protection landscape, members of Armstrong Teasdale’s Privacy and Data Security Group will continue to closely monitor the situation. 

The seven Privacy Principles of the Safe Harbor Regime are notice, choice, onward transfer, access, security, data integrity, and enforcement.

Contact Us
  • Worldwide
  • Boston, MA
  • Chicago, IL
  • Denver, CO
  • Dublin, Ireland
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • Miami, FL
  • New York, NY
  • Orange County, CA
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Washington, D.C.
  • Wilmington, DE
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Chicago, IL
100 North Riverside Plaza
Suite 1500
Chicago, IL 60606-1520
Google Maps
Chicago, Illinois
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Dublin, Ireland
Fitzwilliam Hall, Fitzwilliam Place
Dublin 2, Ireland
Google Maps
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
101 E. High St.
First Floor
Jefferson City, MO 65101
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
7160 Rafael Rivera Way
Suite 320
Las Vegas, NV 89113
Google Maps
Las Vegas, Nevada
London, England
Royal College of Surgeons of England
38-43 Lincoln’s Inn Fields
London, WC2A 3PE
Google Maps
Miami, FL
355 Alhambra Circle
Suite 1200
Coral Gables, FL 33134
Google Maps
Photo of Miami, Florida
New York, NY
7 Times Square, 44th Floor
New York, NY 10036
Google Maps
New York City skyline
Orange County, CA
19800 MacArthur Boulevard
Suite 300
Irvine, CA 92612
Google Maps
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
222 South Main St.
Suite 1830
Salt Lake City, UT 84101
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Washington, D.C.
1717 Pennsylvania Avenue NW
Suite 400
Washington, DC 20006
Google Maps
Photo of Washington, D.C. with the Capitol in the foreground and Washington Monument in the background.
Wilmington, DE
1007 North Market Street
Wilmington, DE 19801
Google Maps
Wilmington, Delaware