Yesterday, October 6, 2015, the European Court of Justice ("ECJ") issued its Judgment in the Schrems case, and in doing so, continued along the seismic shift happening in law related to cross-border privacy. The two major elements of yesterday's Judgment are 1) The Commission Decision 2000/520/EC of 26 July 2000 on the adequacy of the protection provided by the US Safe Harbor framework (the "Safe Harbor Decision") is invalid, and 2) even if the Safe Harbor Decision were otherwise valid, no decision of the Commission can reduce the authority of a national data protection authority ("DPA") to enforce data protection rights as granted by Article 28 of the data protection directive ("DP Directive").
Clearly, the first element brings a more immediate concern for all the companies participating in the Safe Harbor framework. However, the second element will have much longer term consequences for the stability of US-EU commerce and privacy law.
Validity of the Safe Harbor Decision
Over 4,000 companies rely on the Safe Harbor Decision as the legitimate basis for transfers of data from the EU to the US. The unfortunate result of yesterday's Judgment is that such a basis for transfer is no longer valid as the ECJ has a direct and retroactive effect on how the DP Directive should be interpreted. Therefore, companies need to determine an alternative basis for lawfully transferring their data to the US. Fortunately, there are ways to do this. Unfortunately, until such measures are taken, companies moving data between the US and the EU may be in breach of EU law.
Derogations to Transfer Prohibition
The Directive provides for certain "derogations", or exceptions, which legitimize cross-border transfers of personal data. More specifically, cross-border transfers are permitted where:
the individual has given his unambiguous consent to the transfer; the transfer is necessary for the performance of a contract between the individual and the business (which is the "data controller"); the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the business (again, the "data controller") and a third party; the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defense of legal claims; or the transfer is necessary in order to protect the vital interests of the data subject. Companies who use these exceptions still need to...