How Safe is 'Safe-Harbour'?

On 6 October, the Court of Justice of the European Union (CJEU) issued its decision that has far reaching implications on businesses that transfer personal data to the United States. It held that the European Commission’s decision on 26 July 2000 that personal data can be transferred to the United States where organisations sign up to the ‘Safe-Harbour’ data protection principles, was invalid.


The EU Data Protection Directive (No.95/46) prohibits the transfer of personal data outside the EU unless those jurisdictions adequately protect the data. Where US companies adhere to the ‘Safe-Harbour’ framework, such data has been allowed to be transferred to the Untied States.

Maximillian Schrems, an Austrian Citizen, complained to the Irish Data Protection Commissioner that the personal data on his Facebook account should not be transferred from Facebook’s Irish subsidiary to its parent company in the United States, Facebook Inc. Needless to say, in view of the decision in 2000, the Irish Data Protection Commissioner rejected his request. An appeal followed, which saw the issue referred to the CJEU.

The CJEU noted that the Safe Harbour principles contained in the European Commission’s Decision in 2000:

  • are self-certified, so only apply to US companies that sign up to the principles;
  • do not apply to the United State’s public authorities; and
  • can be overridden by law enforcement requirements, public interest and for national security.

As such, the CJEU concluded that this did not provide an adequate level of protection for personal data transferred to the United States and, as such, the ‘Safe-Harbour’ decision in 2000 was invalid.

What does this mean for you?

The decision should make you consider what personal data you hold and where it is sent. If it goes outside the EU, does that jurisdiction provide adequate protection?

If you have a US company in your group, does information, such as the personal data of your staff, get sent to it? Do you use software provided by US companies, such as; cloud computing, HR software, sales databases? If so, you will need to carefully consider what information is sent to the United States and how you transfer any personal data to ensure you comply with local Data Protection principles.

Click here to read the CJEU’s decision.

Click here to see the UK’s Data Protection principles.

If you have any queries in relation to this or any other employment related matter, you should contact Matthew Kilgannon on 01483 411 517 or or your normal contact in the employment team