October 23, 2019

October 22, 2019

Subscribe to Latest Legal News and Analysis

October 21, 2019

Subscribe to Latest Legal News and Analysis

Court of Justice of the European Union Declares Safe Harbor Framework Invalid

In a decision with significant potential ramifications for flows of personal data from the European Union to the United States, the Court of Justice of the European Union (CJEU) today ruled in Maximillian Schrems v. Data Protection Commissioner (C-362/14) that the Safe Harbor Framework no longer provides adequate protection for data transferred to the United States. The decision is likely to leave the over 4000 companies that are currently self-certified to the Safe Harbor Framework scrambling to put in place alternative legal mechanisms to enable trans-Atlantic data transfers to proceed.

Key Takeaways

  • The Court found the EU Commission’s decision approving the Safe Harbor to be invalid, citing the Commission’s failure to determine that the totality of US laws and regulations provide adequate data protection to EU citizens.

  • The opinion permits member state data protection authorities to independently investigate complaints related to countries that the Commission has deemed to provide adequate levels of data protection

  • Data protection authorities could bring cases requesting that Commission adequacy decisions be vacated by the European Court, but data protection authorities could not invalidate a Commission decision without court action.

  • The Court’s opinion follows the rationale put forward by Advocate-General Yves Bot in his non-binding opinion issued on 23 September.

© 2019 Foley & Lardner LLP

TRENDING LEGAL ANALYSIS


About this Author

Peter A. Blenkinsop, Drinker Biddle Law Firm, Healthcare and Data Privacy Attorney, Washington DC
Partner

Peter A. Blenkinsop advises clients on data privacy, research compliance, and e-health. He co-chairs the firm’s Information Privacy, Security & Governance practice. Peter represents clients in the life sciences, health, nutrition, and technology sectors, among others.

Peter’s focus on data privacy and security law began well over a decade ago in the run up to implementation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Since then, his practice has expanded well beyond health information privacy to data privacy...

202-230-5142
Mary Devlin Capizzi,Corporate Attorney, Drinker Biddle,
Partner

Mary Devlin Capizzi counsels individual corporations and consortia clients (comprised of industry, government and academia representatives) on a range of compliance matters involving regulatory, legislative, scientific and policy issues in the U.S., the EU and other countries around the world. She represents clients in the pharmaceutical, biotechnology, medical device, health, nutrition, chemical and technology sectors.

Mary serves as a managing partner of the firm. She was the first chair of the firm’s Professional Development Committee, is a member of the Women's Leadership Committee and a member of the Government and Regulatory Affairs Practice Group.

Prior to joining the firm, Mary served on the New York City-based legal team that represented the Bank Advisory Committees for Brazil and Mexico in connection with the restructuring of their sovereign external debt. She is a fluent Spanish speaker and completed foreign study programs at La Universidad de San Luis in Madrid, Spain; Universidad Internacional, Center for Bilingual Multicultural Studies in Cuernavaca, Mexico; Universitá di Dallas in Rome, Italy; and L’Ecole des Cadres in Paris, France.

202-230-5101
Stanley W. Crosley, Drinker Biddle, Health Data Privacy Lawyer
Of Counsel

Stan Crosley is of counsel to the firm’s Government & Regulatory Affairs Practice Group where he chairs the Data Privacy and Health Information Governance team, a cross-disciplinary team of lawyers with health data privacy experience. Stan is the former Chief Privacy Officer for Eli Lilly and Company, a position he held for 10 years, where he initiated Lilly’s global privacy program and negotiated the company’s compliance with FTC and State consent decrees, multiple European Data Protection Authority privacy inspections, and successful certification...

(317) 770-7399