Published by Tim Bukher - October 19, 2015 - Internet Law, Media & Privacy

In what may be a significant ruling for e-commerce and other e-businesses transacting in the European Union, the Court of Justice of the EU has declared the Safe Harbor mechanism for data transfer from the EU to the United States invalid.

Typically, countries in the EU afford a stronger level of protection to website users with respect to the collection, storage, and transfer of their personal information. As we’ve seen in the news of late, US companies, and the US government in particular, do not afford much respect to individual privacy. This afforded an obvious dilemma to companies that did e-business both in the EU and the US because the differing regulations on data treatment required different policies from country to country. The effective result was that companies were prohibited from transferring EU citizens’ data to servers in the US.

The Former US-EU Safe Harbor

In 2000, the European Commission sought to fix this dilemma by developing the Safe Harbour Privacy Principles. The US-EU Safe Harbor outlined a mechanism of notice, choice, opt-in/opt-out security protocols which, if properly employed across an organization’s various national branches, would allow the organization to transfer EU data to US servers.

Safe Harbor Invalid; New Developments

As of October 6, 2015, the Safe Harbor mechanism is no longer valid. The EU Court of Justice ruled that the Safe Harbor scheme cannot ensure adequate levels of protection for EU citizens’ data transferred to the US because US national security, public interest, and law enforcement requirements could potentially override an and all of the protections under the Safe Harbor mechanism (e.g., the US government could force a US company to disregard the promises it makes under its Safe Harbor policies).

Accordingly, as of this month, transnational e-commerce businesses will need to rely on other legal grounds for the transfer of EU personal data to the US–such grounds include EU standard model clauses, active consent policies, and BCRs (Binding corporate rules).


If you have questions about EU-US data transfer and privacy protocols or any other data-based regulation, please contact Tim Bukher or any member of the Thompson Bukher Internet, Media & Privacy Practice at (212) 920-6050.


Enter your email to get started.