By Jennifer Archie, Gail Crawford and Ulrich Wuermeling

On October 6, the European Court of Justice ruled that Decision 2000/520 of the European Commission, which stated that Safe Harbor-certified US companies provide adequate protection for personal data transferred to them from the EU (the Safe Harbor Adequacy Decision), is invalid (Case C-362/14 – Maximillian Schrems v [Irish] Data Protection Commissioner). The judgment is immediately effective without a grace period. The Data Protection Authorities of the EU Member States (Article 29 Working Party) have already scheduled a working group emergency meeting to discuss the consequences of the judgment, but it is unlikely that the meeting will lead to a simple solution for the 4,000+ US companies who rely on Safe Harbor. The European Commission has also published a press release with a short set of guidelines.

The Reasoning of the Court

In its judgment of 6 October 2015, the Court stated that

  • “legislation permitting the public authorities to have access on a generalized basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter”
  • “legislation not providing any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter.”