Safe Harbour declared invalid - what might this mean for you or your customers?

The European Court of Justice has today (6/10/15) declared the Safe Harbour scheme invalid. What might this mean for you or your customers who send personal data to the US under the “Safe Harbour” framework?


Under the UK’s Data Protection Act, transfers of data by data controllers to countries outside the EEA is only permitted where those countries provide an adequate level of data protection by EU standards. The Safe Harbour scheme was an agreement between the US and the European Commission which allowed transfers to companies in the US who had been certified by the US authorities as being “safe harbours”. Practically speaking, it legitimised transfers of EU personal data from one data controller in the EU to another “Safe Harbour” certified data controller in the US. 

Today’s Ruling

The ECJ has today declared Safe Harbour framework as invalid – this is in the sense that a safe harbour certification will not, in and of itself, mean that the “adequacy” requirement has been fulfilled. Whether or not the adequacy requirement has been fulfilled in any given case will depend on the facts and be a question that the national data protection authorities (in the UK’s case, the Information Commissioner’s Office) will be permitted to take a view on (previously, they could not look behind a Safe Harbour certificate).

Practical effect

I anticipate that today’s news will generate a lot of media attention. However, my view is “don’t panic” and that seems to be the ICO’s view as well judging from their press release today (here) - the upshot of which is “watch this space”. UK companies which send their personal data to US companies who are “safe harbour” certified may, for the time being at least, continue to do so – it has not become illegal by virtue of today’s ruling. However, they will need to satisfy themselves that the organisational and technical processes of the companies to which they are sending data are actually sufficient for meeting the “adequacy” requirement. A “safe harbour” certificate in and off itself is not enough. 

Also, there are other methods by which companies can transfer personal data outside the EEA and still be compliant with the law – such as the so-called “model clauses” or binding corporate rules (for use for intra-group transfers).

If you have any questions concerning today’s ruling or what it might mean for you, your customers, or data protection issues generally, then please do not hesitate to contact me.