CJEU Declares Safe Harbor Framework Invalid

Overview

In a decision with significant potential ramifications for flows of personal data from the European Union to the United States, the Court of Justice of the European Union (CJEU) today ruled in Maximillian Schrems v. Data Protection Commissioner (C-362/14) that the Safe Harbor Framework no longer provides adequate protection for data transferred to the United States. The decision is likely to leave the over 4000 companies that are currently self-certified to the Safe Harbor Framework scrambling to put in place alternative legal mechanisms to enable trans-Atlantic data transfers to proceed.

Key Takeaways

• The Court found the EU Commission’s decision approving the Safe Harbor to be invalid, citing the Commission’s failure to determine that the totality of US laws and regulations provide adequate data protection to EU citizens.
• The opinion permits member state data protection authorities to independently investigate complaints related to countries that the Commission has deemed to provide adequate levels of data protection
• Data protection authorities could bring cases requesting that Commission adequacy decisions be vacated by the European Court, but data protection authorities could not invalidate a Commission decision without court action.
• The Court’s opinion follows the rationale put forward by Advocate-General Yves Bot in his non-binding opinion issued on 23 September. (See our summary of the Bot opinion.)

Next Steps

The Drinker Biddle Privacy and Data Security Team continues to monitor developments in Europe and advise clients regarding next steps. The Drinker Biddle team will be holding a series of webinars and roundtables to review this opinion with clients and discuss options for the future. A general webinar and discussion will be held on October 13, and additional conversations will be scheduled. To be included in these conversations, please contact your Drinker Biddle lawyer or one of the lawyers listed below: