In its judgment of 6 October 2015, the Court of Justice of the European Union invalidated the so-called Safe Harbour Decision of the European Commission. According to this decision, US entities which were (self-)certified as being "Safe Harbour" were considered to ensure an adequate level of data protection.
Furthermore, the Court held that an "adequacy" decision whereby the European Commission considers a "third" country outside the EEA to provide an adequate level of data protection, does not prevent national data protection authorities from examining the complaint of a data subject regarding the transfer of personal data to a third country, where the data subject believes that the country in question does not provide an adequate level of protection.
It goes without saying that this judgment will have a seismic impact on how EU undertakings have to handle personal data flows to the US. Time to weigh anchor, to sail away from the safe harbour and to look for alternative routes.
Please read more on this topic in our newsletter.