European Court ruling that ‘Safe Harbor’ is invalid

The Court of Justice of the EU ("CJEU") declared on 6th October 2015 that the ‘Safe Harbor’ scheme that governs the transfer of European data to the US is invalid, effective immediately. This decision will affect businesses who transfer EU data to US companies which are certified under the Safe Harbor scheme, including companies that outsource data processing of EU data to the States, who may now need to revisit their data security measures.

See our latest article on the EU-US Privacy Shield regarding the new framework for transatlantic data flows to replace Safe Harbor.

What is ‘Safe Harbor’?

How did the new ruling come about?

What did the CJEU say?

The CJEU held that the EC’s decision in 2000 regarding Safe Harbor was invalid for the following reasons:

What are the implications of the CJEU’s ruling?

What alternatives are there to Safe Harbor?

What will happen now?

Is there cause for concern and what should US data processors do?

Further updates and advice

We will be keeping a watch on any guidance provided by the EC and the ICO and will update this article accordingly. If you would like any further information or advice on the effect of this ruling, please contact us at

9th October 2015

back to archive