BREAKING NEWS: EU Court Of Justice Declares Safe Harbour Regime Invalid, Rendering A Large Number Of EEA-US Data Transfers Illegal

Author:Ms Kim Lucassen and Joanne Zaaijer
Profession:Loyens & Loeff

Legal background

Almost every company somehow processes personal data (data relating to its employees, its customers or suppliers, data collected by cookies or website plugins, etc.). According to EU data protection legislation, any such personal data may freely circulate within the EEA. Conversely, any transfer/flow of personal data outside the EEA is only allowed if the third country concerned ensures an 'adequate level of protection'.

The US is not (yet) considered to provide an 'adequate level of protection'. Consequently, a transfer of personal data from the EEA to group companies, servers/data centres, IT service providers or other data processors or contractual partners located in the US, will only be allowed under a limited number of specific circumstances, amongst which:

when the transfer is strictly necessary for performance of a contract with the data subjects concerned; when the data subjects' prior express written consent to such transfer has been obtained; through the intra-group adoption of 'Binding Corporate Rules' (internal codes of conduct); if a data transfer agreement is concluded with the non-EEA data receiver, incorporating the unmodified standard contractual clauses approved by the European Commission; or if the US data receiver is Safe Harbour certified. Safe Harbour certification is granted by the US Department of Commerce to companies/organisations that comply with a set of 'Privacy Principles' that are deemed to provide adequate personal data protection pursuant to a Decision of 26 July 2000 of the European Commission (2000/520/EC). The effect of that decision is that personal data can flow from the EU and EEA member countries to the certified US company/organisation without any further safeguard being necessary. At this moment, over 4,500 US companies (among which Apple, Google, Facebook and many US-based service providers) are Safe Harbour certified. Thousands of other EU-based companies use Safe Harbour certified contractual partners.

The CJEU judgment

  1. Invalidation of safe harbour certification system

    In its judgment of 6 October 2015, the EU Court of Justice ("CJEU") has decided that Commission Decision 2000/520/EC establishing the 'adequacy' of the Safe Harbour certification system, is in fact invalid.

    As long as US law allows personal data in the US to be accessed by the NSA and by other United States security agencies in the course of a mass and indiscriminate surveillance and interception of such...

To continue reading