6 October 2015, was a particularly significant day for business across the world. On that day, the European Court of Justice (ECJ) invalidated the EU-US Safe Harbour Framework in Schrems vs. Data Protection Commissioner. For nearly a generation, the Safe Harbour Framework provided a streamlined legal mechanism for transferring EU residents’ personal data to the US. Roughly 4500 companies are registered under it with the US Department of Commerce, certifying that they comply with privacy principles similar to those contained in the EU Data Protection Directive. Following Schrems, any transfer of personal data from the EU to the US under the Framework is a breach of EU data protection law.

Schrems was brought as a test case. In the wake of Edward Snowden’s disclosures in 2014, Austrian privacy activist Max Schrems challenged the Safe Harbour Framework in court, alleging that Facebook supported US spying by passing European user data to the US government. The ECJ agreed with Schrems that the Framework violated EU law, reasoning that “the national security, public interest and law enforcement requirements of the United States prevail over the Safe Harbor scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements”.

Global impact

Going forward, the resolution of individual cases made by the Data Protection Agencies (DPAs) of EU member states will be governed by Schrems. That fact alone will have serious consequences for data transfers from the EU to the US.

Jan-Mar 2016 Issue

King & Spalding