Safe Harbour In A Storm?

Author:Mr Mark Dunster, Siobhan Riley, Elaine Gray, Huw Thomas, Richard Field, Ben Mays and Nick Bullmore
Profession:Carey Olsen

Europe's highest court, The Court of Justice of the European Union ("CJEU") has declared the EU-US Safe Harbour Agreement ("Safe Harbour") to be invalid as a mechanism to legitimise personal data transfers from the EU to the US. The decision is unsurprising, given the recent release of Advocate General Bot's Opinion to that effect and the unrest at the Snowden revelations regarding government surveillance of personal data. However, it leaves businesses placing reliance on Safe Harbour in difficulties, as such data transfers are now unlawful. The decision affects all businesses moving employee, customer or other personal data between the EU and the US, placing reliance on Safe Harbour. This includes those using third party providers or group companies to host and process data for core HR, marketing, administration or compliance purposes. Even if the data is not stored in the US, if teams based there can access the data, then there may be an issue.


Safe Harbour is a self-certification scheme created by the European Commission and the US Department of Commerce in order to allow US-based companies to overcome the restrictions placed on the export of data from the EU, in particular the EU requirement to ensure "adequate protection" for personal data being transferred from the EU to the US1.

Those in the US wishing to import data from a variety of European countries could in turn benefit from applying a "blanket" standard to facilitate transfers from a variety of EU countries. Without Safe Harbour (or one of the other approved measures) being in place, the transfer would be banned, as the US is not deemed "adequate" for crossborder data transfers from an EU perspective.

There has been increased scrutiny of tech giants (such as Facebook) and their policies, following the Snowden revelations. The EU is also in the process of streamlining and updating its data protection rules and the negotiations have brought into focus the question as to whether Safe Harbour operates to protect personal data effectively. There has been a growing belief that US companies aren't meeting the standards that are being claimed, which hasn't been helped by criticisms from EU regulators and the prosecutions in the US of companies whose self-certification proved to be defective.


The case was brought by Maximilian Schrems, a Facebook user and privacy campaigner concerned by the outfall from the Snowden revelations, who argued that Safe...

To continue reading