Safe Harbour - Ruled invalid by ECJ

The European Court of Justice has this week ruled the Safe Harbour agreement to be invalid. The ruling means that some 4,500 US companies that rely upon Safe Harbour will need to put alternative mechanisms in place in order to move information from Europe to the US.

What is Safe Harbour?

European legislation prohibits the transfer of personal data to a country outside the EU unless the country ensures an "adequate level of protection of personal data". The Safe Harbor scheme is a set of principles and rules for processing personal data. US organisations wishing to transfer personal data from the EU to the US may subscribe to the scheme voluntarily with the US Department of Commerce. An agreement was reached between the US and the European Commission in 2000 that US companies that subscribed to Safe Harbour would be considered to be operating within the requirements of the European legislation requirements.

So what’s changed?

In 2013 Ed Snowden leaked details of a surveillance scheme operated by the US’ National Security Agency (NSA) called Prism. He alleged that the NSA had gained access to personal information regarding Europeans (and other foreign nationals) from the giant tech companies.

An Austrian privacy campaigner, Max Schrems, asked Ireland’s data protection regulator to investigate Facebook (whose European HQ is in Ireland). The Data Protection Commissioner declined claiming that Facebook’s transfer of his personal data to the US was covered by Safe Harbour. Mr Schrems contested that decision and the case was referred to the ECJ.

The ECJ has ruled that the European Commission’s agreement that Safe Harbour was sufficient protection is invalid.

What does this mean?

The ruling is far wider than Facebook. In fact, there is no allegation that Facebook has done anything wrong.

As stated, some 4,500 US companies are currently signed up to Safe Harbour. They will now have to put in place alternative means of ensuring that they comply with the European data protection legislation. The most common method will be signing up to model contract clauses. However, this will cause an administrative burden. Particularly as knocking down Safe Harbour has the following effects:

  • Individual European countries can set their own regulation for US companies' handling of their nationals’ data. This means that US companies may have to comply with different regulations for each European country. This will mean numerous different contractual requirements;
  • Countries can choose to suspend the transfer of data to the US — forcing companies to host user data exclusively within the country. Russia has recently introduced this requirement.
Doesn’t it only affect the tech giants?

No. Many companies send data about their employees and their customers to the US. Companies with a US parent often use IT systems located at the US headquarters to administer personal data such as HR and CRM. Likewise, significant numbers of companies outsourcing their IT systems to cloud service providers which frequently use US-based servers to store the data. Even companies that, for example, send payroll data to the US for administrative purposes will be caught by the collapse of Safe Harbour.

Posted on 10/07/2015 by Ortolan

Get in Touch

If you would like to know more about Ortolan Legal and how we can help you reduce your ongoing recruitment costs, get in touch!

Email us now

   Or call 020 3743 0600

I have worked with Ortolan Legal since 2010 and used their services extensively. They have provided corporate and commercial legal advice and we have also drawn on their capability in the areas of employment law, dispute resolution and property law. What makes them so different is their ability consistently to deliver commercially focussed and high quality advice at a price point which simply cannot be matched by other law firms. They aim to strip out unnecessary overhead costs, concentrate on the quality of their core service and pass on these cost savings to their clients. It works.

Charlie Blackburn, Entrepreneur and co-founder of Brighttalk
See All
Receive news & updates from Ortolan Legal

Meet the Team

  • Nick Benson Nick Benson I qualified as a commercial and corporate solicitor…
  • Liz Delgado Liz Delgado I qualified as a solicitor in 1995 after studying…
  • Carrie Beaumont Carrie Beaumont I qualified as an Employment specialist in 2008. I…