CLS Blue Sky Blog

Morrison & Foerster explains ECJ Safe Harbor Opinion’s Implications for all Data Transfers out of Europe

The European Court of Justice (ECJ) followed the core of the Opinion of the Advocate General (AG) (see our Privacy Minute dated October 3, 2015) in Schrems v. Data Protection Commissioner (Case No. C-362/14).


In sum, the ECJ held that:

  1. Member State Data Protection Authorities (DPA) must be allowed to:
    • examine complaints from individuals regarding the treatment of their personal information by other countries;
    • bring cases to court to question the validity of adequacy decisions; and
    • suspend the transfer of personal information to other countries when they believe it is appropriate.
  2. The Safe Harbor Decision is invalid because:
    • US companies may provide information to the US government to protect national security, public interest or law enforcement requirements;
    • The US does not provide European individuals with the ability to obtain judicial redress in the US; and
    • The European Commission overstepped its authority by limiting the bases on which DPAs could suspend transfers to the US.


This decision opens the door for every DPA to evaluate whether other countries outside the EU provide adequate protection for personal information. The Standard Contractual Clauses (SCCs) specifically give the DPAs the authority to prohibit or suspend transfers to other countries when the DPA determines that the laws of the other country are insufficient to protect privacy. Similarly, the adequacy decisions for Switzerland, and Canada and Argentina all provide authority for the DPAs to suspend transfers to these countries. Thus, the ultimate effect of the ECJ decision is to remove certainty and disrupt harmonization across the European Union and allow each DPA to decide for itself what cross-border transfers are permissible.

Moreover, because the invalidation of the Safe Harbor Decision was based, at its core, on a finding that the US does not provide adequate protection for personal information, that same logic can be applied to every other adequacy mechanism such as Binding Corporate Rules (BCRs) and the SCCs. Thus, a second result of the decision is that none of the existing adequacy mechanisms is a safe bet at the moment because the DPAs now have authority to independently determine if the recipient country, such as India, Brazil, China or the U.S., provides appropriate security (independent of the adequacy mechanism).

This decision demands a political solution that addresses the following points:

Practical Implications for Companies

Companies have only a series of bad choices before them:

In a press conference, the European Commission stated that it perceives the ECJ’s ruling as confirming the Commission’s approach to the renegotiation of the Safe Harbor and that, in the meantime, transatlantic data flows can continue using other mechanisms available or exceptions provided for under EU law (e.g., performance of a contract, public interest, consent). The Commission intends to work closely with national DPAs and will issue “clear guidance” on how to deal with data transfer requests to the US in light of the ruling, to avoid a patchwork of contradictory decisions. While reiterating the importance of protecting personal data, the Commission set as a priority to ensure that data flows can continue, as they are the “backbone” of the EU economy.

Just as with the whistleblowing hotlines a few years ago, the ECJ opinion has brought into clear view the conflict of laws between Europe and the US. Companies may spend a tremendous amount of time and money in the next few weeks seeking an alternative which just does not exist.

Waiting to see how this settles in the next few weeks may be the wisest course of action.

The full and original memorandum was published by Morrison & Foerster on October 7, 2015 and is available here.

Exit mobile version