European Court of Justice Invalidates Safe Harbor

By Michael Klazema on 10/14/2015

On October 6, the European Court of Justice (ECJ) ruled that the Safe Harbor Framework fails to provide adequate protections to European Union (EU) citizens, a move that dismantles the 15-year-old framework and replaces it with much uncertainty about the practical implications of cross-border data transfer.

While the ruling had not been expected for three months, the ECJ acted swiftly to endorse the opinion issued just two weeks ago by the European High Court, who agreed with Austrian Facebook member Maximillian Shrems that Safe Harbor does not protect EU citizens from mass surveillance by US intelligence agencies. 

The ECJ invalidated Safe Harbor partly because it places national security and law enforcement interests above the fundamental right to privacy, “so that United States undertakings are bound to disregard, without limitation, the protective rules laid down” by Safe Harbor.  The ECJ further noted that data review by intelligence agencies is based on no objective or measurable criteria and that EU citizens have no avenue to challenge the use of data held about them.

The judgement puts increased pressure on EU Data Protection Authorities (DPAs), as they now will be responsible for reviewing every citizen complaint regarding data transfer to the United States. 

What This Means to Clients and Their Candidates:

While the ECJ ruling has sent the business and privacy communities into a swirl of uncertainty, it is uniformly agreed that it unlikely that DPAs will suddenly come knocking.  There is currently bi-partisan legislation before Congress that would provide remedies to EU citizens with privacy act complaints and negotiations on Safe Harbor 2.0 have been underway for the past two years.  We expect extended debate on the topic.

It is important to note the ECJ judgement does allow for data transfer to countries without adequate privacy protections under certain exceptions. The most significant one for clients using international services is where “the data subject has given his consent unambiguously to the proposed transfer.” Of the 28 EU countries that have adopted legislation implementing the EU data protection directive, all but Romania have explicitly adopted this exception.

Therefore, suggests that organizations obtain explicit, written consent from the data subject to information about the data subject being sent to the United States.

What You Should Do:

Tag Cloud
Recent Posts

Latest News

  • October 11 Sporting organizations have long maintained lists of people barred for misconduct. A new agency wants to collect those names into a publicly searchable database.
  • October 09 In July, Ohio Governor John Kasich signed an executive order requiring criminal background checks for all Medicaid providers. Some healthcare professionals, particularly counsellors to drug addicts, worry the new rule could cost them their jobs.
  • October 05 After a city in Georgia adopted ban the box rules to increase fairness in hiring, unforeseen conflicts with additional city regulations rendered the change ineffective. The city must now find a fix. 
  • October 04 Whether you are applying for a job that involves driving or renewing your car insurance policy, your driving record can have an impact on what comes next. At, we offer a way to check the accuracy of your record.
  • October 03 What should employers expect to see on criminal history reports, and what should job seekers expect these checks to reveal? We take a look at what shows up on criminal background checks.
  • October 02 Employers across the country are becoming more open to hiring people with criminal records. The reasons behind the shift range from new laws to the state of the job market.
  • October 01 Insurance points can affect how much you pay for your auto insurance policy. How are these points assessed and what do you need to know about them?
  • September 28 A driver’s license check includes more than just details about moving violations. Here’s what to expect if an employer or insurance provider pulls your driving record.
  • September 28

    Your driving record can impact your car insurance rates—and coverage options—in several ways. Learn how insurance companies use motor vehicle records to adjust their rates.

  • September 27 — With an aging population, long-term in-home care options are becoming more popular. In many cases, state governments have failed to provide thorough vetting procedures, leading to incidents of harm.