In a far-reaching judgment issued this morning, the Court of Justice of the European Union declared the European Commission’s 2000 U.S. Safe Harbor Decision invalid. The Court held that the safe harbor principles under which U.S. companies self-certify are not sufficient to ensure adequate protection of personal data and cannot justify transatlantic data transfer. The Court further stated that the European Commission does not have the power to prevent national data protection authorities from examining whether the transfer of personal data to third countries (even under an adequacy decision such as the Safe Harbor Decision) is in compliance with the European data protection rules. To illustrate, the Court highlighted the impact of new factual developments such as the Snowden revelations.
In a first reaction provided in a press conference this afternoon, the European Commission welcomed the judgment as an important step toward upholding European citizens’ fundamental rights to data protection. The Commission stated that it will continue working toward a renewed framework for the transatlantic transfer of personal data alongside U.S. authorities. Recognizing the importance of transatlantic data flows for the European economy, the European Commission described the continuation of such flows as a priority following today’s judgment.
While an entity established in the EU/EEA can no longer rely on the safe harbor certification of any recipient established in the United States for data transfers, alternative mechanisms and derogations in the European data protection rules may still allow for a transfer of personal data across the Atlantic.