Data Flow From The EU: Is It Dead?

Data Flow From The EU: Is It Dead?

Earlier in the month we wrote about the speaking tour of Dr. Dennis Voigt, of member firm Melchers, on the subject of the changes to the EU data transfer Safe Harbor mechanism (article below).  Click here for Dr. Voigt’s presentation on this important topic.

Under European Union (“EU”) law, personal data may only be legally gathered under strict conditions and such data is subject to robust protections. The right to privacy is a highly developed area of law in Europe, and members of the EU argue that the protections it requires for its citizens’ personal information are in general not met by US data information legal protections.  Accordingly, transfer of EU personal information to the US would not generally be allowed pursuant to the mandates of Directive 95/46/EC.  Recognizing the magnitude of this problem, the US Department of Commerce and the EU worked out a solution some 15 years ago.

Ally Law Data FLow

Since the year 2000 companies have relied upon the “US Safe Harbor provision” promulgated by the Commission of the European Community (“Commission”) in Decision 2000/520/EC as a simple and cost-effective legally compliant mechanism to transfer European personal data to entities in the US. The Safe Harbor provision requires that companies receiving EU personal data in the US accept and bind themselves to certain Safe Harbor Principles, which the Commission determined guaranteed an adequate level of protection for EU citizens’ personal data.  The Safe Harbor enables technology, telecommunications, and cloud companies to benefit from relatively free flows of European customer data to the US, among other important commercial personal information flows.

However, this October the Court of Justice of the European Union (“CJEU”) declared invalid the US Safe Harbor provision in Case C-362/14, Maximillian Schrems v Data Protection Commissioner, in which an EU citizen challenged the adequacy of protections to EU personal data transferred pursuant to the Safe Harbor provision.  In addition to declaring the Safe Harbor provision invalid, the CJEU decreed that surveillance activities by US authorities violate the EU data protection laws and the fundamental rights afforded to EU citizens, and the individual EU data protection regulators must be able to exercise independence to suspend a data transfer if it finds the protections inadequate.  This ruling will have and is already having significant repercussions around the world.

The EC commented it will continue to work towards a “safer” framework for the transfer of personal data between the EU and the US – and other jurisdictions. Until such time, entities must use other mechanisms available under EU data protection law for international transfers of personal data.  This will be an uncertain period and companies should analyze carefully the risks they may take in information transfer – whether effected by themselves or through third parties – and potential penalties for violating EU laws.  In addition, the decision may lead to questions and challenges by interested individuals relating to prior data transfers from the EU to the United States and other jurisdictions.  Ally Law members are experienced in determining legally compliant and effective manners in which to internationally transfer personal data and can advise you based on the specifics of your situation.  For more information about our services in this area, contact us at

Already individual EU jurisdictions are reacting to the CJEU repudiation of the Safe Harbor provision and directing changes in current practices in data transfer from their jurisdictions to the US which will immediately impact US companies’ practices.  Dr. Dennis Voigt, a partner at Melchers, a highly respected German law firm and member of the International Alliance of Law Firms, is experienced in EU/US data transfers and the nuances of the law governing the same.  This November Dr. Voigt will be speaking at select venues in Oregon and Washington, US, on the recent change in EU data protection law and its immediate and far-reaching repercussions.  For more about Dr. Voigt’s schedule and presentation, click here.

By Shelly L Dalrymple, Esq.


Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on print

Recent Posts