Europe's Top Court Invalidates ‘Safe Habour' Data Transfer Framework

Author:Ms Kirsten Thompson, Daniel G. C. Glover, Breanna Needham, Barry B. Sookman and Charles S. Morgan
Profession:McCarthy Tétrault LLP

On October 6, 2015, the Court of Justice of the European Union ("CJEU") declared that the US-EU Safe Harbour framework is invalid, striking it down in the highly anticipated case of Schrems v. Data Protection Commissioner. The decision is effective immediately, with far-reaching and widespread implications for entities with multinational data flows.

Since EU data protection laws purport to apply to the processing of personal data regardless of whether the individuals affected are EU citizens or not, or are physically present in the EU or not, the potential impacts of this decision go beyond those organizations with an EU clientele. Any organization that makes use of equipment located in a Member State to process personal data is potentially at risk.


Max Schrems, a law student and privacy advocate from Austria, initiated a case against Facebook in Ireland asserting that American mass surveillance programs (such as the NSA activity divulged by Edward Snowden) violated his privacy. The Safe Harbour framework permits major U.S.-based organizations to self-certify that they are providing an "adequate level of protection for privacy and fundamental rights and freedoms" in compliance with EU privacy laws.

While the Irish Data Protection Commissioner originally rejected the case on the basis that the European Commission had already found the Safe Harbour framework to be compliant, the High Court of Ireland referred the question of the legality of the Safe Harbour framework to the CJEU for consideration. Notwithstanding prior blessing from the European Commission, the CJEU concluded that the framework was incompatible with EU privacy norms.

Despite assertions that U.S. intelligence gathering is of a targeted, rather than a general, nature, the CJEU fundamentally disagreed. It found the original Safe Harbour Decision invalid on the basis that self-certifying organizations "are bound to disregard" fundamental privacy rights when they conflict with the national security and public interest requirements or domestic legislation of the United States. This finding thus renders illegal any transfer of personal data from the EU to the United States that is based solely on Safe Harbour self-certification.

The CJEU's ruling is final, with no avenue for appeals.


The CJEU's decision, unlike many major decisions with far-reaching implications, has no transition period to allow for phased-in implementation; it is effective immediately...

To continue reading