The Safe Harbor had come under such substantial criticism following the 2013 Edward Snowden revelations that both the European Union and the United States were in the process of upgrading the framework well before the European Court of Justice (ECJ) struck it down on Oct. 6. Nevertheless, the ECJ's ruling is unsettling because the Safe Harbor framework offered legal certainty and constituted a unique solution to secure trans-Atlantic exchanges of information. And the ruling is even more unsettling because the practical outcome may be less privacy for individuals, not more.

Everyone agrees that the ECJ made a strong statement. It criticized the fact that the framework does not take into account that U.S. national security agencies “on a generalized basis” and “without any differentiation, limitation or exception” may access personal information of European individuals. It should be noted, however, that the ECJ seems to rely on old findings about the state of play of U.S. surveillance legislation compiled in 2013. The ECJ also decided that the Safe Harbor framework could not restrict national data privacy regulators' powers to investigate consumer complaints about effective protection of their personal information.

So where does that leave us now? The answer is not clear, since today neither industry nor privacy regulators can fully appraise the economic and “legal toxicity” of the ruling's fallout. National regulators are expected to soon take a position on the matter and to provide guidance to industry. It is feared that the ruling may cause fragmentation between national regulators' policies on international data transfers, which would create serious issues for corporations with a presence in multiple European countries. In a statement announced Oct. 16, the national regulators called for political action between the EU and the U.S. to solve the issue. They threaten coordinated enforcement actions as of the end of January 2016 if companies have not implemented alternative data transfer solutions.