The Commission’s Decision on the Safe Harbor Agreement with the US Declared Invalid
6.11.2015Company: Deloitte
On 6 October 2015, the Court of Justice of the European Union (CJEU) issued a ruling in case C 362/14, Maximillian Schrems vs Data Protection Commissioner whereby it declared Decision 2000/520/EC of 26 July 2000 of the European Commission invalid.
The contested Commission’s decision defined the Safe Harbor framework which enabled transfers of personal data from the EU to the United States to the companies that undertook to adhere to those principles. By adopting the Safe Harbor framework, US companies effectively declared their reliability in personal data transferring and storage.
As a result of the CJEU’s ruling, the Decision on Safe Harbor became invalid with immediate effect due to the insufficient level of personal data protection in the US. The CJEU thus primarily responded to the fact that state authorities in the US have wide-ranging authority to access processed personal data. The Czech Data Protection Authority has been warning for a long time about the risks of the insufficient level of personal data protection in the US.
The CJEU’s ruling will have a significant impact on the companies transferring personal data from the EU to the US (also among companies within the same group) only on the basis of the Safe Harbor principles. Such companies should consider taking appropriate and adequate steps in response to the CJEU’s ruling.
If your company has been hitherto relying on the Safe Harbor principles when transferring personal data to the US, we recommend to review of the current setting of the personal data transfers and to apply other legal mechanisms that make it possible for transfers of personal data to countries outside the EU. From a practical perspective, it is advisable to implement the Standard Contractual Clauses defined in the relevant decisions of the Commission.
Miroslava Kuklincová
+420 246 042 859
Edita Krejčířová
+420 246 042 940
