Cookies Policy

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we’ll assume that you are happy to accept these cookies.To get more information about these cookies and the processing of your personal data, check our Cookies Policy.


Ince Gordon Dadds Emergency Response +442072836999

Knowledge bank
Sector Insights

Data Protection – US “Safe Harbor” scheme held invalid

15.10.2015 IP, Media and Tech

David  Marchese

David Marchese Consultant

On 6th October 2015 the European Court of Justice (ECJ) handed down its ruling in the case of Maximilian Schrems v Data Protection Commissioner. The ECJ found that the US Safe Harbor scheme, which has been in place since 2000, is invalid. This means that, technically, many data transfers to the USA are now, and have been, illegal. In theory we could see people complaining to the relevant national data protection authorities and claims being made against companies that transfer personal data to the USA.

Mr Schrems was objecting to the Irish Data Protection Commissioner about the transfer of his Facebook data to US servers, in the light of the revelations by Edward Snowden in 2013 concerning the activities of the US intelligence services. The main reasoning for the decision is that the US public authorities are not restricted by the Safe Harbor scheme and so have unfettered access to all personal data transferred to the USA, which compromises the fundamental human right to respect for private life. It’s not clear what Mr Schrems will get as a result of the judgment, apart from publicity and the satisfaction of having overturned a scheme that has been used by thousands of companies, but the issue is still the subject of litigation before the High Court of Ireland (where Facebook and many other international companies process their personal data).

The UK Information Commissioner’s Office (ICO) has issued a statement in which it said that this does not mean that there is an increase in the threat to people’s personal data, that there are other options apart from reliance on the Safe Harbor, and that businesses that use Safe Harbor should review how they ensure that data transferred to the US is transferred in line with the law.

In a sense this is a political case, and arises against the background of continuing EU-US discussions, but at the moment companies it seems cannot safely make any data transfers from EU countries to the USA. Other processes do exist in addition to the Safe Harbor, such as Binding Corporate Rules and Model Contract clauses, but these mechanisms are expensive and time consuming to put in place. And in any event they would not seem to overcome the main point of the ECJ decision, in that no personal data transferred to the USA can now be said with any certainty to be secure if it is subject to “access on a generalised basis by the US authorities” (to quote the words of the ECJ).

The ICO says it will be working with its European colleagues to produce guidance following the ECJ ruling, which will be eagerly awaited.

Article authors:

David Marchese