The Court of Justice of the European Union (CJEU) has held that the EU Commission's decision establishing the Safe Harbor data transfer framework is invalid because the Commission failed to determine that the protection afforded to privacy under U.S. law is adequate. The Court also held that national data protection authorities (DPAs) may oversee and suspend data transfers that they do not believe provide adequate protection.

The October 6, 2015, decision has far-reaching consequences for more than 4,500 companies relying upon the transfer of data from Europe to the United States.

Schrems v. Data Protection Commissioner challenged the transfer of personal information by Facebook from Ireland to the United States. The EU Data Protection Directive (Directive) prohibits personal data from being transferred outside the EU unless the transferee country provides an “adequate level of protection” to that data. The European Commission held that transfers of personal data from the EU to U.S. companies that are Safe Harbor-certified provide adequate protection and are therefore permissible under the Data Protection Directive.

Largely adopting the advisory decision from the Court’s Advocate General, the Court determined that U.S. laws that permit generalized access to the content of electronic communication, like the Foreign Intelligence Surveillance Act, exceed what is strictly necessary for the objective.

Further, the Court held that legislation that does not afford individuals the possibility to access, rectify, or erase personal data relating to them, or to any administrative or judicial redress with regard to collection and further processing of their data taking place under surveillance programs, as might be the case in connection with the NSA surveillance, cannot be deemed to provide adequate protection to personal data.

The Court also held the Commission’s prior ruling with regard to the Safe Harbor framework was invalid because the Commission did not find that the United States “ensures” an adequate level of protection by reason of its domestic law or its international commitments. Accordingly, the Court held that national DPAs may undertake their own analysis to determine whether a proposed data transfer adheres to the requirements of the Directive, or initiate enforcement actions where necessary.

The Court’s decision puts into question how and whether thousands of companies will transfer personal data from the EU to the United States going forward. The Court referred the case back to the Irish Data Commissioner to decide the Schrems complaint. Concurrently, it is expected that national DPAs will weigh in on this decision and decide how transfers will carried out.

Enforcement against companies that rely exclusively on Safe Harbor for data transfers is not expected in the coming days. Regardless, companies would do well to analyze their flow of information from the EU to the United States and consider alternative methods for compliance. Those methods include acquiring explicit and informed consent, adopting transfer agreements containing Model Clauses approved by EU authorities, or adopting Binding Corporate Rules.

On October 15, 2015, Ballard Spahr will hold a webinar, “The Future of the US-EU Safe Harbor: A Cross-Border Discussion of the Schrems v. Facebook Decision,” from 12:00-1:00 p.m. ET. To register, please follow this link.

Attorneys in Ballard Spahr’s Privacy and Data Security Group have extensive experience guiding companies in Safe Harbor compliance and ensuring the reliable and efficient transfer of data cross-border transfer of personal data between the EU and United States.

For more information, contact Consumer Financial Services Group Practice Leader Alan S. Kaplinsky, Privacy and Data Security Group Practice Leaders Philip N. Yannella or Daniel JT McKenna, the other authors of this alert, or the Ballard Spahr attorney with whom you work.

Copyright © 2015 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.

Related Practices

Consumer Financial Services
Privacy and Data Security


Visit CFPB Monitor, our blog on the Consumer Financial Protection Bureau >

Subscribe to the blog via e-mail >