In a milestone decision on transatlantic data protection, the European Court of Justice (ECJ) issued its judgment in the Max Schrems case on, October 6, 2015, declaring the EU-U.S. Safe Harbor invalid. As many predicted, the judgment follows the opinion of Advocate General Bot, published less than two weeks ago, and rules that the Safe Harbor does not supersede the powers of EU Member State authorities to scrutinize the handling and transfer of personal data outside the EU.
The key reasons given by the ECJ for declaring the Safe Harbor decision invalid include: 1) the Safe Harbor’s overly general provision for self-certified companies to disregard the Safe Harbor principles where they conflict with national security, public interest and law enforcement requirements; and 2) the inability for EU citizens to pursue legal remedies in order to gain access to personal data or to obtain the rectification or erasure of such data where it is transferred to the U.S.
While the Commission appears to be focusing its efforts on negotiations with the U.S., the question still remains as to whether Safe Harbor version 2.0 will be sufficient to address the concerns raised by the ECJ. Indeed, the U.S. Secretary of Commerce expressed in a press release deep disappointment in the Court’s decision, claiming it “creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.”
Ultimately, businesses relying on the EU-U.S. Safe Harbor, whether for intra-group data transfers or for transfers to third parties, will need to reassess their choice of international data transfer solutions and decide whether to adopt alternative mechanisms, such as Binding Corporate Rules or EU standard contractual clauses. It is difficult to predict at this stage how DPAs will enforce the ECJ decision in the short-term, although in a statement released by the UK’s Information Deputy Commissioner, he acknowledged that it may take businesses who previously relied on the Safe Harbor some time to review alternative solutions.
On October 8, 2015, Sidley Austin LLP will be holding a webinar on this important development, entitled “Safe Harbor Data Privacy Briefing: Your Questions Answered,” in partnership with DataGuidance. For more information please click here.
If you have any questions regarding this Sidley Update, please contact the Sidley lawyer with whom you usually work, or
William Long Partner wlong@sidley.com +44.20.7360.2061 |
Maarten Meulenbelt Partner mmeulenbelt@sidley.com +32.2.504.6467 |
Alan Charles Raul Partner araul@sidley.com +1.202.736.8477 |
Sidley Privacy, Data Security and Information Law Practice
To receive Sidley Updates, please subscribe at www.sidley.com/subscribe.
Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.