Safe Harbour FAQs – IAB Europe, 13th October 2015


SAFE HARBOR FAQ’s – iabeurope_web13 OCTOBER 2015

On 6 October 2015, the Court of Justice of the European Union (“CJEU”) delivered its judgment in C-362/14 Maximilian Schrems v Data Protection Commissioner invalidating the U.S.-EU Safe Harbor Framework.

These FAQ provide an overview of the implications of the Court’s decision, as well as offer guidance to companies about what to do in wake of the judgment and what to expect next.


Q: What was the U.S.-EU Safe Harbor Framework?

A: Under the Data Protection Directive (Directive 95/46/EC) the transfer of personal data from the European Union (“EU”) outside of the European Economic Area (“EEA”) is prohibited unless the data protection rules of the third country to which the data are transferred have been declared “adequate” by the European Commission.

As the United States (“U.S.”) and the EU do not have equivalent data protection rules the European Commission –  in consultation with the U.S. Department of Commerce – adopted the U.S.-EU Safe Harbor Framework (Decision 2000/520/EC) in July 2000. The decision allowed the transfer of personal data from the EU to U.S. companies that participated in the U.S.-EU Safe Harbor scheme.


Q: Why was the U.S.-EU Safe Harbor Framework declared invalid?

A: The CJEU found that the Safe Harbor Framework enables “interference (…) with the fundamental rights of the persons whose personal data is or could be transferred from [the EU to the U.S.]” because it only covers self-certified companies and not actions by U.S. authorities.

Additionally, the CJEU considered the European Commission’s decision on the U.S.-EU Safe Harbor Framework and found that the Commission had not –  as is required by the Data Protection Directive – establish that the U.S. provides an adequate level of protection of personal data “by virtue of its domestic law and international obligations”, i.e. a “level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.”

In this context the Court recalled that in the EU interference with the fundamental right to respect to private life is only permissible where it is strictly necessary and explicitly provided examples of legislation that is not in line with the EU legal order: Generalized retention of personal data; Generalized surveillance of the content of communication; Lack of judicial recourse for for individuals to access, rectify or erase personal data relating to them.

The CJEU further found that the U.S.-EU Safe Harbor Framework unlawfully limited the power of national data protection authorities – such as DPC (Data Protection Commissioner) –  to investigate claims by individuals concerning the adequacy of third countries.


Q: When will the CJEU’s judgment come into effect?

A: The CJEU’s judgment is effective immediately. As such the U.S.-EU Safe Harbor Framework has ceased to exist as of 6 October 2015.


Q: What is the impact of the CJEU’s judgment?

A: With the U.S.-EU Safe Harbor Framework invalidated, organizations that have made use of the framework can no longer use it to legally transfer personal data from the EU to the U.S. of 6 October 2015. This means that there is no harmonized EU-level answer to the question of whether and how personal data can be transferred to the U.S. It is now up to each national data protection authority to make decisions on transfers of personal data from the EU to the U.S. in accordance with national law and the Data Protection Directive. Undoubtedly, the judgment creates significant legal uncertainty. That said there are alternative mechanisms with which to achieve the same goal (see below).


Q: How can my company continue to legally transfer data from the EU to the U.S.?

A: The Safe Harbor Principles were not the only mechanism allowing the transfer of personal data from the EU and U.S. Your company may still leverage any one or several of the following alternatives:

For more detailed information please consult the FAQs relating to transfers of personal data from the EU/EEA to third countries from the European Commission. Additionally, companies should consult the data protection authorities in their relevant markets as requirements for the lawful transfer of data to the U.S. may vary across countries.

Q: Which immediate steps are being taken by the European Union to address the situation?

A: Frans Timmermans, First Vice-President of the European Commission, and Vera Jourová, European Commissioner for Justice, gave a statement on the day of the judgment in which they outlined the immediate priorities of the European Commission:

  • Protecting personal data transferred across the Atlantic
  • Keeping up important transatlantic data flows
  • Ensuring a uniform application of EU law in the Member States

To this end the European Commission promised clear guidance to national data protection authorities on how to deal with data transfer requests to the U.S. in light of the ruling.

The European Commission has immediately called a meeting of the Article 29 Working Party (“WP29”), which brings together all national data protection authorities and, European Data Protection Supervisor and European Commission. The group has met on Thursday, 8 October 2015 to discuss a common approach in light of the judgment. An extraordinary plenary meeting of the WP29 will be scheduled “shortly” presumably to adopt this harmonized approach.


Will there be a new Safe Harbor Framework?

A: The good news is that the CJEU leaves room for setting up a new Safe Harbor Framework, which could restore legal certainty and a harmonized EU approach to EU to U.S. transfers.

The European Commission and U.S. government have been negotiating an update of the Safe Harbor Framework since 2013. Both EU and U.S. negotiators have vowed to finalize negotiations for what can become “Safe Harbor 2.0.” with a view to restoring legal certainty for companies. To this end negotiators meeting have promised to step up the negotiations.