Cross-border data transfer alert – US Safe Harbour invalidated

The Court of Justice of the European Union has invalidated the US Safe Harbour. If you, your supplier or business partner relies on the US Safe Harbour, or any other EU Safe Harbour for cross-border data transfers, now is the time to check whether there will be any disruptions to your business and whether you need to implement additional measures to ensure that your data transfer practices don’t breach data protection laws.

‘Safe Harbour’ arose as a response to the EU’s 1998 Data Protection Directive, which prohibits the transfer of personal data from within the EU to countries outside the European Economic Area, unless the target country provided adequate level of protection for personal information. The EU Safe Harbour framework was developed to overcome privacy law differences between the US and EU. Organisations registered under the Safe Harbour Decision would be deemed to provide an adequate level of protection for personal information.

However, after Edward Snowden’s WikiLeaks releases in May 2013, the validity of Safe Harbour was challenged in Maximillian Schrems v Data Protection Commissioner (C-362/14) on the basis that US law and practices offered no real protection of data against State surveillance.

While transfer of data between the EU and US has not been immediately impacted, anyone involved in EU to US data flows should review their practices and monitor developments. US technology and online service providers are anticipated to be among the most significantly impacted. Companies involved in data transfers into and out of Australia with the US and EU, need to brief themselves on what Safe Harbour invalidation means for them, particularly in the area of personal data transfers.