News and Events

Safe Harbour declared invalid with immediate effect

View profile for Christopher Buck
  • Posted
  • Author

Flag of the United States
The recent decision of the European Court of Justice (ECJ) issued on the 6th October 2015 has stated that the fifteen year old programme which has facilitated critical flows of data from the European Union to the United States is now invalid with immediate effect with a serious knock on effect for companies in the European Union.

Safe Harbour Agreement

The Safe Harbour Agreement, negotiated between the EU and the US by the European Commission in 2000, essentially provided a process designed to allow US firms to move information from the EU to the US in a manner which was complaint with the strict EU data protection directives. Ultimately, only companies that were Safe Harbour certified could transfer personal data to US entities as they were deemed compliant with the EU directives.

A recent case forced to the EU’s highest court by Austrian privacy campaigner Max Schrems, who took issue with the adequacy of protection to keep his private information on Facebook from the US Government provided by Safe Harbour, has led the Commission to rule that the Safe Harbour Agreement is invalid. The actions of Edward Snowden helped to bring the house of cards down when the former CIA agent leaked to the media details of extensive internet and phone surveillance by American intelligence illustrating that Safe Harbour protected information within the private sector but was not adequate enough to protect it from the government.

Knock on effect

Now that the 2000 Agreement has been declared invalid, American companies can no longer rely on the self-certification of Safe Harbour and must seek to strike model contract clauses in each case which will authorise the transfer of data outside of Europe.

The Commissioner, Vera Jourová, provided two alternatives for the short term:

  1. the use of standard data protection clauses in contracts between companies exchanging data across the Atlantic; or
  2. binding corporate rules for transfers within a corporate group.

The companies most affected are likely to be smaller, less financially and technologically able companies, who currently use US-based cloud services to store and process data that they could not do themselves. They too will have to strike model contract clauses to ensure that they are compliant with the strict EU data protection directives. This process of creating such agreements and getting them approved before data can be transferred will essentially be a costly and timely burden on smaller companies which is not desirable.

However, there is a light at the end of the tunnel. Since the Snowden revelations in 2013, the EU and US have been in negotiations to amend the Safe Harbour principle to ultimately limit the US Government’s access to EU citizens’ data stored in the US and to allow EU citizens to sue US companies should they misuse their data. The ECJ’s recent decision may well to help speed this process along as a new Safe Harbour is now needed.

Expert advice

If any further legal guidance is required on a data protection or privacy issues, feel free to contact me on 01908 660966 or by email at

Image courtesy of

Blog disclaimer