Transfers of personal data to the US - Safe Harbour framework invalid

Advocate General Yves Bot, of the Court of Justice of the European Union (CJEU), has declared the EU-US “Safe Harbour” regime invalid. The opinion could have a major impact on data transfers to and hosting in the US. Whilst the opinion is not binding upon the ECJ, it will be extremely influential when the issue is finally determined later on this year.

Whilst the opinion is not binding upon the ECJ, it will be extremely influential when the issue is finally determined later on this year.

For companies currently relying on safe harbour to justify data transfers to the US, it may be wise to look into alternative ways of ensuring adequate protection for transferring personal data  outside the EEA to the US; such as  the use of standard European Commission approved contract clauses as a back- up.

The Data Protection Directive (94/46/EC) requires that personal data should not be transferred to a country outside the European Economic Area (EEA) unless it is being transferred to a jurisdiction which ensures ‘adequate’ protection for the rights of individuals.  Some countries outside the EEA have been pre-approved by the European Commission but as many will be aware the US is not one of those countries.

 It is for this reason that the  Safe Harbour framework provisions were put in place approved by the Commission allowing US organisations to sign up to safe harbour in order  to demonstrate adequate protection of personal data.  However the framework has now been challenged which will be an issue for those who transfer personal data outside the US to companies which have signed up to safe harbour (relying on safe harbour) which is now under challenge.

In recent years, the focus has shifted back to the legitimacy of the Safe Harbour framework agreement. In 2013, Edward Snowden released details about a surveillance scheme operated by the NSA called Prism, which provided officials with ways to scrutinise data held by US tech firms concerning European and Foreign nationals.

In light of this, Mr Schrems (an Austrian citizen and Facebook user since 2008), brought a complaint to the Irish Data Protection Commissioner suggesting that EU citizens had no protection against US surveillance efforts once their data had been transferred. Mr Schrems said he targeted Facebook in particular because of the wide range of data it generates and the sheer volume of people using the service. Owing to the verdict by the Commission on the 26 July 2002 - the complaint was rejected.

After careful consideration, the ECJ Advocate General held that the “safe harbour scheme does not contain appropriate guarantees for presenting mass and generalised access to the transferred data”. AG Bot argued that, as such, fundamental EU rights such as the right to respect for private life and the right to the protection of personal data (as set out within the European Charter) were at risk.


Contact our experts for further advice

View profile for Beverley FlynnBeverley Flynn

Search our site