skip to main content


Court of Justice of the European Union Declares the U.S.-E.U. Safe Harbor Invalid

Court of Justice of the European Union Declares the U.S.-E.U. Safe Harbor Invalid

October 14, 2015

The News
On October 6, 2015, the Court of Justice of the European Union (CJEU) sent shock waves through the U.S. and European business and data privacy communities when it declared the U.S.-E.U. Safe Harbor invalid. Since the year 2000, over 4,000 U.S. companies have relied on their compliance with the Safe Harbor framework to transfer personal data from the European Union (E.U.) to the United States to meet the requirements of the E.U. Data Protection Directive.     

Under the E.U. Data Protection Directive, personal information of E.U. citizens can only be transferred from the E.U. to countries that have adequate data protection.  The U.S. is one of a number of countries that do not meet this requirement. For those countries that are determined not to have adequate data protection, the E.U. has provided a few mechanisms to conduct such transfers.  In 2000, the U.S. Department of Commerce and the E.U. negotiated the Safe Harbor framework as one of the mechanisms.  In order to be Safe Harbor certified, a U.S. Company had to self-certify to the Department of Commerce that it complied with the E.U. privacy standards.  

This week, the CJEU made the declaration that the U.S.-E.U. Safe Harbor was invalid when they issued judgment in the Schrems v. Facebook case, concluding that (1) the Safe Harbor program managed by the U.S. Commerce department is invalid; and (2) the national data protection authorities of European Union countries can investigate and suspend international data transfers, even when the European Commission has determined that a non-EU country’s data protection regime provides adequate data protection. 

“Model Contracts” 
Companies that relied on their self-certification under the Safe Harbor framework should adopt one of the alternative means available to comply with the E.U. Data Protection Directive.  The most likely alternative for most companies will be the “model contracts.”  The “model contracts” are form contracts provided by the E.U. that are signed by the E.U. and U.S. companies.  The “model contracts” include requirements for how the data will be handled and processed in the U.S.   For companies receiving data from only a few locations in the E.U., implementation of the “model contracts” may be relatively simple, but for those with multiple connections between the E.U. and the U.S., the endeavor could be significant.   

Although the dust is still settling, companies that have relied on their Safe Harbor certification to transfer data from the E.U. to the U.S. in compliance with the E.U. Data Protection Directive will now need to adopt and implement alternative means to comply with the directive.  Companies who themselves do not rely on their Safe Harbor certification but who transfer data to U.S. based vendors who are Safe Harbor certified and who rely on the vendor’s Safe Harbor certification should promptly contact the vendor to determine the steps the vendor is taking to address the change in the law.  Companies that rely on other means of complying with the E.U. Data Protection Directive do not need to take any action at this time, but they should audit developments from the E.U. as these other means may also come under attack in the future.

In the coming weeks, it is expected that the U.S. Department of Commerce will provide guidance on how companies should respond to the CJEU decision.

Further Information
If you rely on such a contract or to discuss how these issues may impact you, please contact Catherine Intravia or any member of Shipman & Goodwin’s Privacy and Data Protection Group.


Practice Areas

Industries & Featured Services

© Shipman & Goodwin LLP 2020. All Rights Reserved.