European Court of Justice Invalidates Safe Harbor

By Michael Klazema on 10/14/2015

On October 6, the European Court of Justice (ECJ) ruled that the Safe Harbor Framework fails to provide adequate protections to European Union (EU) citizens, a move that dismantles the 15-year-old framework and replaces it with much uncertainty about the practical implications of cross-border data transfer.

While the ruling had not been expected for three months, the ECJ acted swiftly to endorse the opinion issued just two weeks ago by the European High Court, who agreed with Austrian Facebook member Maximillian Shrems that Safe Harbor does not protect EU citizens from mass surveillance by US intelligence agencies. 

The ECJ invalidated Safe Harbor partly because it places national security and law enforcement interests above the fundamental right to privacy, “so that United States undertakings are bound to disregard, without limitation, the protective rules laid down” by Safe Harbor.  The ECJ further noted that data review by intelligence agencies is based on no objective or measurable criteria and that EU citizens have no avenue to challenge the use of data held about them.

The judgement puts increased pressure on EU Data Protection Authorities (DPAs), as they now will be responsible for reviewing every citizen complaint regarding data transfer to the United States. 

What This Means to Clients and Their Candidates:

While the ECJ ruling has sent the business and privacy communities into a swirl of uncertainty, it is uniformly agreed that it unlikely that DPAs will suddenly come knocking.  There is currently bi-partisan legislation before Congress that would provide remedies to EU citizens with privacy act complaints and negotiations on Safe Harbor 2.0 have been underway for the past two years.  We expect extended debate on the topic.

It is important to note the ECJ judgement does allow for data transfer to countries without adequate privacy protections under certain exceptions. The most significant one for clients using international services is where “the data subject has given his consent unambiguously to the proposed transfer.” Of the 28 EU countries that have adopted legislation implementing the EU data protection directive, all but Romania have explicitly adopted this exception.

Therefore, suggests that organizations obtain explicit, written consent from the data subject to information about the data subject being sent to the United States.

What You Should Do:

Tag Cloud
Recent Posts

Latest News

  • April 19

    In a post-Penn State scandal world, universities are more aware than ever of the need to protect students by vetting faculty. The extent of this vetting and its implementation are hot topics causing controversy on campuses nationwide.

  • April 18 Amazon’s criminal background checks look back seven years and consider any convictions from that time. All finalists must complete criminal background searches, reference checks, and drug tests.
  • April 17

    From entry-level positions to roles involving “Top Secret” security clearances, military roles can involve a variety of different background investigations. We look at what different types of military background checks entail.

  • April 17 A new CNBC series is looking at true HR stories and their lessons. The most recent installment looked at the consequences of not running background checks.
  • April 12 Complicated by patchwork legislation and continuing federal prohibition, marijuana legalization poses several challenges for employers and would-be employees alike. Despite its legal status in a growing number of states, marijuana continues to negatively impact job-seekers.
  • April 12 Familiarizing yourself with the legality of background checks is essential. Continue reading about laws and regulations.
  • April 11

    Understanding the background check obligations in your industry and state.

  • April 10 A former employee of a senior assisted living community is facing charges for stealing from a resident. The alleged theft occurred after the employee gained access to the patient’s credit cards and checking account.
  • April 06 Background checks aren’t pass or fail. Employers consider various factors before making any hiring decision based on background check data.
  • April 06  Level 1 and Level 2 are terms used in Florida law to describe background check requirements for employers. We look at what a Level 2 background check entails.