In a decision with significant potential ramifications for flows of personal data from the European Union to the United States, the Court of Justice of the European Union (CJEU) today ruled in Maximillian Schrems v. Data Protection Commissioner (C-362/14) that the Safe Harbor Framework no longer provides adequate protection for data transferred to the United States. The decision is likely to leave the over 4000 companies that are currently self-certified to the Safe Harbor Framework scrambling to put in place alternative legal mechanisms to enable trans-Atlantic data transfers to proceed.

Key Takeaways

• The Court found the EU Commission’s decision approving the Safe Harbor to be invalid, citing the Commission’s failure to determine that the totality of US laws and regulations provide adequate data protection to EU citizens.

• The opinion permits member state data protection authorities to independently investigate complaints related to countries that the Commission has deemed to provide adequate levels of data protection

• Data protection authorities could bring cases requesting that Commission adequacy decisions be vacated by the European Court, but data protection authorities could not invalidate a Commission decision without court action.

• The Court’s opinion follows the rationale put forward by Advocate-General Yves Bot in his non-binding opinion issued on 23 September.