The European Court of Justice Declares the Safe Harbor Decision Invalid
Decision of the ECJ
On October 6, 2015, the European Court of Justice (ECJ) released their decision in Case C-362/14 Maximillian Schrems v Data Protection Commissioner, rendering the European Commission’s Safe Harbor decision invalid.
The Safe Harbor framework allowed US companies to receive personal information from the EU, despite the general prohibition that exists as a result of the inadequacy of US privacy laws.
There are two primary results from this ECJ decision:
1) If a US company is receiving personal information from the EU in reliance of the Safe Harbor framework, those transfers are now unlawful.
2) Individual EU member states’ are given broader supervisory power over the personal information exported from their country. As a result, a US company receiving EU data may now have to deal with varying privacy standards, in order to comply with each applicable member state.

What this means for businesses receiving data from the EU
This development is relevant for Canadian companies too. If a Canadian company collects personal information from the EU, and in any way processes or stores such information in the US, the EU privacy laws are triggered. Direct transfers to the US are not required. So any company collecting personal information from the EU should keep abreast of the developments occurring in international privacy law, and should as diligently ensure their corporate privacy policies are remaining current.
Companies previously relying on the Safe Harbor framework need to consider alternative data and privacy policies or risk being subject to investigation for unlawful transfers. There are other methods of legally transferring personal data from the EU to the US, however the applicability, cost, and effectiveness of these methods will vary depending on the types of data being transferred and from which EU member state the transfer is originating from.
Another option is to avoid transferring data to the US altogether, and instead retain all data here in Canada. Since the European Commission officially recognizes the adequacy of Canada’s data protection laws (PIPEDA), transfers of personal information from the EU to Canada are lawful without Safe Harbor.
In summary:
- The Safe Harbor framework previously provided a streamlined process for companies to legally transfer personal data from the EU to the US.
- The ECJ has declared the European Commission’s Safe Harbor decision invalid.
- As a result of the ECJ’s decision, (1) data transfers from the EU to the US in reliance of Safe Harbor are now unlawful; and (2) EU member states now have broader power to investigate data exports to other countries – increasing the compliance burden on company’s in the US or with service partners in the US.
- To remove your exposure that may result from these developments, (1) conduct a complete audit of your data transfers and practices, (2) ensure your corporate privacy policy is up to date, (3) evaluate your service partners’ compliance with international privacy laws, and (4) ensure your opt-in consent procedure is properly designed.
- The simplest strategy for ensuring continued compliance with international privacy laws? Keep your data in Canada or the EU, and make sure your privacy policies are in line with Canadian privacy laws.
Talk to a privacy and information management lawyer today
At Segev LLP, we work with growth stage technology companies on all legal matters that affect their business, including privacy and information management. Contact one of our lawyers today to discuss the implications of the Safe Harbor issues discussed above, in the context of your business.
We can assist you in your privacy review and help to ensure your data practices and procedures are structured efficiently and in compliance with the international laws that apply to your company.