As I am sure many readers are well aware, on Oct. 6, the Court of Justice of the European Union found that the protections of individual data users' privacy under the Safe Harbor program were insufficient to protect the privacy rights guaranteed by the Charter of Fundamental Rights of the European Union, and so invalidated the program. The Safe Harbor program, implementing an agreement between the United States and the European Union, is one under which entities seeking to bring data from the European Union to the United States that contains information personal to protected EU data subjects must comply with rigorous security procedures and so certify to the Federal Trade Commission. The court found that because the Safe Harbor agreement between the United States and the European Union did not prevent the National Security Agency from accessing data transferred from the European Union, and because the United States provided no legal recourse for individuals whose data was not properly protected, the Safe Harbor program was not sufficient to protect the privacy of EU subjects.

In this month's column, we will review the opinion. We will also discuss possible next steps for those who wish to transfer data from the European Union to the United States, and the issues that can arise with those next steps.

The Opinion

Directive 95/46/EC of the European Parliament and of the Council of Oct. 24, 1995, provided the standards for the protection of individuals with regard to the processing of personal data and on the free movement of such data, as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of Sept. 29, 2003. In Commission Decision 2000/520/EC of July 26, 2000, the protection provided by Safe Harbor was found to be sufficient to satisfy Directive 95/46.

The challenge to the decision arose in the wake of the allegations of Edward Snowden regarding the NSA's access to and searching of data sent from the European Union to the United States. The court found several problems with the NSA program. It noted that the NSA's PRISM program, “a large-scale intelligence collection” program, granted access to U.S. authorities to data stored and processed in the United States, including data brought to the United States by Safe Harbor-certified entities. Thus, the program allowed “U.S. intelligence authorities to collect personal data initially processed in the” European Union. The court noted that Safe Harbor-certified companies included “Google, Facebook, Microsoft, Apple [and] Yahoo,” which had hundreds of millions of clients in Europe and transferred personal data to the United States for processing, all of which was accessible via the PRISM program. The large-scale access by intelligence agencies to data transferred to the United States by Safe Harbor-certified companies raised additional serious questions regarding the continuity of data protection rights of Europeans when their data was transferred to the United States.