European Court of Justice Invalidates Safe Harbor

By Michael Klazema on 10/14/2015

On October 6, the European Court of Justice (ECJ) ruled that the Safe Harbor Framework fails to provide adequate protections to European Union (EU) citizens, a move that dismantles the 15-year-old framework and replaces it with much uncertainty about the practical implications of cross-border data transfer.

While the ruling had not been expected for three months, the ECJ acted swiftly to endorse the opinion issued just two weeks ago by the European High Court, who agreed with Austrian Facebook member Maximillian Shrems that Safe Harbor does not protect EU citizens from mass surveillance by US intelligence agencies. 

The ECJ invalidated Safe Harbor partly because it places national security and law enforcement interests above the fundamental right to privacy, “so that United States undertakings are bound to disregard, without limitation, the protective rules laid down” by Safe Harbor.  The ECJ further noted that data review by intelligence agencies is based on no objective or measurable criteria and that EU citizens have no avenue to challenge the use of data held about them.

The judgement puts increased pressure on EU Data Protection Authorities (DPAs), as they now will be responsible for reviewing every citizen complaint regarding data transfer to the United States. 

What This Means to Clients and Their Candidates:

While the ECJ ruling has sent the business and privacy communities into a swirl of uncertainty, it is uniformly agreed that it unlikely that DPAs will suddenly come knocking.  There is currently bi-partisan legislation before Congress that would provide remedies to EU citizens with privacy act complaints and negotiations on Safe Harbor 2.0 have been underway for the past two years.  We expect extended debate on the topic.

It is important to note the ECJ judgement does allow for data transfer to countries without adequate privacy protections under certain exceptions. The most significant one for clients using international services is where “the data subject has given his consent unambiguously to the proposed transfer.” Of the 28 EU countries that have adopted legislation implementing the EU data protection directive, all but Romania have explicitly adopted this exception.

Therefore, suggests that organizations obtain explicit, written consent from the data subject to information about the data subject being sent to the United States.

What You Should Do:

Tag Cloud
Recent Posts

Latest News

  • January 17 As part of efforts to foster more opportunities to work for those with criminal records, many states make allowances for expunging records. Pennsylvania has joined their ranks with a slightly different program.
  • January 15 A viral news story at The Cleveland Clinic has reignited the debate over social media background checks. The hospital recently fired a medical resident with a history of anti-Semitic tweets.
  • January 10 To remain a competitive employment option for retail workers, Best Buy will begin offering childcare options for parents. 
  • January 07 The rise of the "gig economy" was rapid, and questions about safety for users of these new services grew along with the industry. Background check policies in the gig economy can be unclear or unevenly applied, leading to barriers for some seeking jobs.
  • January 04 A new service that offers background checks for babysitters has come under fire for racial bias, invasion of privacy, and non-compliance with FCRA requirements. Predictim has paused its launch due to controversy.
  • December 21 Everyone with a driver’s license has a driving record. Here are some of the details that can be discovered or verified through a driving report records check.
  • December 20 Trust between patient and practitioner is a critical part of a strong healthcare system. An investigation uncovered hundreds of doctors practicing in new locations after giving up their licenses following serious mistakes.
  • December 18 Professional license verification checks help ensure that job candidates have the licenses or certifications necessary for certain positions. Here’s how they work.
  • December 17 When it comes to hiring new employees, Providence Wireless relies on for help with the vetting process.
  • December 13

    As the food truck fad proves it has staying power, many local governments have looked for ways to protect their communities without constraining economic activity. The effort to strike the right balance is ongoing.