By Ann Kristin Glenster – Edited by David Nathaniel Tan
On October 6, 2015, the Court of Justice of the European Union (“CJEU”) delivered another landmark ruling concerning the handling of personal data by U.S. companies in Europe.Responding to a request from the Irish High Court, the CJEU held that the Safe Harbor Agreement (the “Agreement”), under which companies like Facebook were able to legally transmit personal data from their European subscribers to the U.S., was invalid. This article will give a brief overview of the Agreement and the case, and explore some of the salient issues to which the European Court took umbrage. Finally, it will attempt to sketch out some possible consequences of the ruling, and the options that now face E.U. and U.S. legislators.
According to the CJEU, the Safe Harbor Principles did not provide adequate safeguards as required by the Data Protection Directive (95/46/EC) (the “Directive”). The decision has led to a flurry of activity on both shores of the Atlantic. On November 3, barely a month after the judgement was announced, it was the hot topic of debate at a House Communications Subcommittee of Commerce, Manufacturing and Trade meeting. Microsoft, Apple and Oracle, among others, urged U.S. legislators to take swift action as “trillions of dollars in global GDP were at stake.”
The CJEU decision has left U.S companies in a quandary as to how they may demonstrate their compliance with European law in handling foreign customer data, as they wait for rescue by Safe Harbor 2.0. But so far, signals are weak that a new Safe Harbor Agreement can provide the much sought-after shelter for personal data making the journey across the Atlantic. (more…)