Safe Harbour

Reference Number: IDPC001, Press Release Issue Date: Oct 19, 2015
​​
 
Following the decision issued by the Court of Justice of the European Union (CJEU) in the case Schrems vs Data Protection Commissioner (Ireland), the Commission Decision 2000/520EC dated 26 July 2000, on the adequacy of the protection provided by the Safe Harbour privacy principles, was declared invalid by the CJEU Advocate General. The Court judgement requires that any adequacy decision implies a broad analysis of the third country domestic laws and international commitments. 

A statement from the EU Commission on this decision may be found on the following link: http://europa.eu/rapid/press-release_STATEMENT-15-5782_en.htm

The US Safe Harbour is therefore no longer considered as an automatic assurance for the privacy of citizens when their personal data is transferred to the US.

Following such ruling, the EU data protection authorities assembled in the Article 29 Working Party have discussed the consequences of such decision a press statement, available on this link:
Data controllers previously transferring personal data under the Safe Harbour scheme are required to use alternative mechanisms as provided for under national law in order to guarantee an adequate level of data protection for similar transfers to the US.​