Alert

By Andrew Caplan, Kelley D. Bledsoe, Mercedes K. Tunstall, Steven Farmer

Europe’s top court ruled that U.S. companies relying upon the “Safe Harbor Framework” data sharing regime to maintain information regarding EU citizens is “invalid.” This means that any company relying upon the Safe Harbor Framework, and any U.S. company holding EU citizen data in the U.S., urgently needs to review and reform how such data is transferred and stored to avoid the risk of fines. Status quo is not an option.

Yesterday, the Court of Justice of the European Union (the “CJEU”) delivered a striking blow to the fifteen-year-old regime governing EU-U.S. data transfers. Specifically, the CJEU declared invalid the safe harbour framework (the “Safe Harbor Framework” or the “Framework”) that thousands of U.S. companies have relied upon to facilitate data transfers from the EU to the United States.

The CJEU’s rationale for striking down the Safe Harbor Framework was primarily based upon their assessment that U.S. authorities have the ability to access personal data transferred from EU member states (“Member States”) and process it in a way that is “incompatible…with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.” The CJEU’s conclusion was largely informed by the 2013 revelations of Edward Snowden regarding the U.S. government’s capture of personal data through the PRISM program.

This means that companies that have relied upon the Framework must look back to default EU standards from 1995 to determine whether their data sharing practices are permissible. Further, the CJEU’s opinion has clarified the role of individual EU member states in enforcing these requirements.

In this client alert, we provide a brief discussion of the legal background that established the Safe Harbor Framework; the CJEU’s analysis behind its decision; and practical steps companies can take to help ensure compliance.

Background on the Legal Framework Surrounding the Safe Harbor Framework

On October 24, 1995, the European Parliament and Council issued Directive 95/46, establishing that transfer of personal data from the EU to another country must meet EU standards or else cannot be transferred.1 The rationale for this approach “is to protect the fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (the “Convention”),…and in general principles of Community Law.”2

As such, pursuant to Article 25(4) of Directive 95/46, if a country’s privacy laws do not meet EU standards and ensure an adequate level of protection, EU Member States must prevent the transfer of data to the country in question.

However, the next section of Directive 95/46, Article 25(6), provides a mechanism by which the European Commission may find that a particular country does provide an adequate level of protection, by reason of its domestic law or international commitments, for the protection of the private lives and basic freedoms and rights of individuals, in accordance with the Directive.

Pursuant to this authority under Article 25(6) of Directive 95/46, the European Commission issued Commission Decision 2000/520 on July 26, 2000, which established the Safe Harbor Framework for data transfers between the EU and U.S. This Commission Decision states that U.S. companies subject to Federal Trade Commission or Department of Transportation jurisdiction may satisfy the requisite standard of “adequate” personal data protection by complying with Commission Decision 2000/520.3 Until yesterday, companies in the U.S. storing, processing or transferring data from EU citizens were able to use this Safe Harbor Framework through an annual self-certification with the U.S. Department of Commerce.

Download: With Safe Harbor now “Invalid,” Companies Must Change Data Practices


  1. Council Directive 95/46, art. 25, §1, 1995 O.J. (L 281).
  2. Id. at pmbl. § 10.
  3. The seven core privacy principals included in the Safe Harbor Framework include: (1) Notice: organizations must notify individuals about the purposes for which they collect and use information about them; (2) Choice: organizations must give individuals the opportunity to choose (opt out) of third party information sharing—in the case of sensitive information, organizations must provide individuals the opportunity to affirmatively opt in to third party information sharing; (3) Onward Transfer: to disclose information to a third party, organizations must require the third party to comply with these Notice and Choice principles; (4) Access: individuals must have access to personal information about them, except where the burden or expense of providing access is disproportionate to the risks of individual privacy, or where the rights of persons other than the individual would be violated; (5) Security: organizations must take reasonable precautions to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration and destruction; (6) Data Integrity: organizations must insure the integrity of personal information; and (7) Enforcement: this includes both private and government-level enforcement mechanisms to ensure compliance.
These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.