On 6 October 2015, the issued a judgment striking down the US safe harbor framework, which lets EU businesses send personal data to the US businesses registered under the scheme.

This briefing explains the background and implications of the ECJ decision. Note that the ECJ’s decision does not pose a direct threat to a significant proportion of transatlantic data flows, including in the context of investigations but:

• it is still important to consider whether a data transfer to the US complies with data privacy (and other) laws;
• safe harbor isn’t typically relied on for those transfers, and other potential gateways for lawful data transfers remain available, including the EU model clauses and other legal exemptions; and
• European companies might be indirectly affected if they use suppliers that rely on safe harbor to send personal data to the US (although US data storage providers and processors are likely to change their processes in response to the decision).

This briefing is available.