Last October’s ground breaking decision from the Court of Justice of the European Union (ECJ) on the US Safe Harbour has sent ripples through the transatlantic business community. The judgement not only affects US businesses with subsidiaries in Europe, but IT-related service providers (particularly online services) with European customers. These businesses can no longer rely on the US Safe Harbour to transfer personal information relating to their employees, customers and suppliers from Europe to the US. This article explains the implications of the decision, how these affect organisations and how businesses can address the change.

European data transfers, the US Safe Harbour Decision, and Maximilian Schrems

European data protection laws stem from the European Data Protection Directive 95/46/EC (the Directive). The Directive prohibits the transfer of EU citizens’ personal data to countries outside the European Economic Area (EEA), which do not guarantee its adequate protection. In 2000, the European Commission issued a decision recognising the US Safe Harbour as providing adequate protection. Since the decision, thousands of businesses have relied upon the Safe Harbour to enable the transfer of their employees’, customers’ and suppliers’ personal data from Europe to the US. However, the ECJ decision of 5 October 2015 marked the end of the Safe Harbour, and arguably the days of ‘easy’ transfers of data to the US, leaving many businesses scrambling to find alternatives, or risking substantial fines from data protection authorities.

Apr-Jun 2016 Issue

Wedlake Bell