The European Court of Justice, (the EU’s highest court), ruled on Tuesday, October 6th that the safe harbor pact between the EU and the U.S. should be declared invalid because it fails to provide adequate protection for EU citizens’ data. The ruling follows Advocate General Yves Bot’s opinion (covered here) two weeks ago that the safe harbor pact be struck down because U.S. officials, including the NSA, has unfettered access to EU citizens’ data once it is transferred to the U.S.
The European Court of Justice declared that the program should be struck down because U.S. law enforcement officials’ needs are put ahead of EU citizens’ privacy rights. It stated “The United States safe harbor scheme thus enables interference, by United States public authorities, with the fundamental rights of persons, and the commission decision does not refer either to the existence, in the United States, of rules intended to limit any such interference or to the existence of effective legal protection against the interference.”
So what does this mean for the 4,500 U.S. companies that have self-certified as safe harbor compliant since it came into existence in 2000?
According to the European Commission, it will continue to work toward a new framework for the transfer of EU citizens’ data to the U.S. with the Department of Commerce, and the Commission expects companies to be able to use other privacy measures allowed by EU law. It will release “clear guidance” for data protection authorities in the EU in light of the ruling.
Companies may wish to continue to use appropriate data privacy and security measures for any data received from EU citizens and to keep a vigilant watch for guidance from the European Commission. We will be watching closely and will update you as guidance is issued.
But companies should also be aware that the Federal Trade Commission has publicly stated that despite the ruling, it will continue to monitor compliance by companies that have self-certified to the safe harbor program and move forward with enforcement actions. For the FTC, it is the status quo for now.