The European Court of Justice (ECJ) ruled on Case C-362/14 (the Schrems case) earlier today, 6 October 2015. In its ruling, the ECJ – among other things – held that the EU Commission’s “US Safe Harbor” decision is invalid.
Under the Directive 95/46/EC, that has been implemented in the various EU member states by national data protection laws, personal data may in principle only be transferred to countries outside the European Economic Area (third countries) if an adequate level of data protection is ensured. In its “US Safe Harbor” decision, the EU Commission found that an adequate level of data protection is ensured where personal data is transferred to the US under the EU-US Safe Harbor scheme.
The ECJ has now invalidated this EU Commission decision, largely following the opinion of its Advocate General issued two weeks ago. As a consequence, businesses cannot rely on this decision as a legal ground for exports of personal data to third countries any more. The ECJ decision invalidating the EU Commission decision is effective immediately.
Even though data protection regulators of the EU Member States may chose not to take immediate enforcement action to suspend data transfers to the US based on the EU-US Safe Harbor framework, businesses are strongly advised to evaluate options to establish alternative grounds to transfer data to the US in accordance with the requirements of Directive 95/46/EC now.
More details on the background of the Schrems case and the Advocate General’s opinion may be found in our previous blog posts here and here. Last night, we analyzed the likely impact of an ECJ decision which found Safe Harbor to be invalid and the mitigation steps that should be considered in our blog post here.
Feel free to contact the authors of the post, and make sure to sign up for the blog to continue receiving updates on this and other important data protection topics.