European Court of Justice Invalidates U.S.-E.U. Safe Harbor Program

On October 6, 2015, the European Union’s highest court (the “ECJ”) issued an order (the “Order”) invalidating the 15-year-old U.S.-EU Safe Harbor Program (the “Program”).  Schrems v. Data Prot. Comm’r, E.C.J., No. C-362/14.  The Program allowed U.S. companies to transfer EU citizens’ data to the U.S. by self-certifying to the U.S. Department of Commerce privacy principles similar to those contained in the EU Data Protection Directive (95/46/EC).  The basis for the Order was that the Program didn’t safeguard personal data against surveillance by the U.S. government and didn’t allow sufficient redress to EU citizens whose privacy had been breached by such surveillance. The case was initiated by Austrian law student Max Schrems against Facebook in Ireland where Facebook’s European operations are headquartered.  The case was referred to the ECJ by Ireland’s High Court after the Irish Office of the Data Protection Commissioner said it didn’t need to examine the complaint about data transfers made by Facebook Ireland Inc. because the transfers were done in accordance with the Program.  The ECJ found that U.S. authorities could ignore the privacy protections of the Program and could “access the personal data transferred from the member states to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.” The European Commission has stated publicly that any transfer of data from European Economic Area in the last 15 years that relied on the Safe Harbor Program may be subject to legal challenge.  While approximately 4,400 U.S. companies are certified under the Program, the Order would not prevent the continued transfer of data by those with alternative means for data transfers in place, such as binding corporate rules or model contracts.