Alert: Not So Safe: CJEU Follows Advocate General's Opinion, Declaring Safe Harbor Invalid

Ann Bevitt
Cooley LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Background

On 23 September 2015, Advocate General (AG) Bot found that the Safe Harbor framework, which allowed for the "safe" transfer of personal data from the EU to the US, did not provide sufficient guarantees for the protection of the rights of EU citizens. See our previous article on the AG Opinion here. The Court of Justice of the European Union (CJEU) has now followed the AG Opinion and declared Safe Harbor invalid.

The CJEU Decision

The CJEU highlighted shortcomings of the Safe Harbor framework, particularly in light of the Edward Snowden revelations. It emphasised that the scheme is only applicable to US undertakings which adhere to it, and that public authorities are not only not subject to it, but that national security, public interest and law enforcement requirements prevail over the scheme and must disregard the protective rules where they conflict with such requirements.  The CJEU stated that such disregard can be seen as "compromising the essence of the fundamental right to respect for private life" and that blocking an individual's right to pursue legal remedies in such an instance "compromises the essence of the fundamental right to effective judicial protection".

What now?

The CJEU's ruling is final and cannot be appealed.  Data protection authorities of the EU Member States will now have to determine whether transfers of personal data to the US pursuant to Safe Harbor are to be suspended on the grounds that the US does not afford an adequate level of protection of personal data.  The EU and the US have recently been renegotiating the Safe Harbor framework and this decision will either shake (and speed) up their negotiations or derail them.

Impact on business

Those businesses (approximately 4,500) that currently rely on Safe Harbor will need to reconsider their options for transferring data to the US.   Companies operating in more than one Member State will need to monitor the responses to the CJEU decision of all data protection authorities in those states in which they operate, as different authorities may adopt different positions.  For example, some data protection authorities may adopt a generous grace period, but some may take a stricter approach.

Although companies should avoid knee-jerk reactions, as a first step current data flows regarding US data transfers should be immediately reviewed and alternative methods of transfer - such as Model Contractual Clauses – should be considered. 

After enjoying a "Safe Harbor" for the last 15 years, it seems that companies are now to experience some choppy waters ahead. 

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cooley LLP | Attorney Advertising

Written by:

Cooley LLP
Cooley LLP
Contact
more
less

Cooley LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide