U.S. companies with European business will most likely mark 6 October 2015 as a dark day on their calendars.
The highest EU court, the European Court of Justice (ECJ) in Luxembourg, declared a fifteen-year-old longstanding EU decision authorizing a EU/US Safe Harbor “invalid.” The judgment is not appealable. This is a serious issue for the entire industry. According to the European Commission, the United States is a country with “inadequate” data protection laws.
The European Commission and the U.S. Department of Commerce, therefore, agreed in 2000 to a self-certification program for U.S. organizations that receive personal data from Europe. Pursuant to the self-certification program, a U.S. organization receiving personal data from Europe must certify that it adhered to certain standards of data processing comparable to EU data protection laws such that the EU citizens’ personal data was treated as adequately as if their personal data had remained in Europe. The Safe Harbor program is operated by the U.S. Department of Commerce and enforced by the Federal Trade Commission (FTC). Over 4,000 organizations have current self-certifications of adherence to the Safe Harbor principles. Thanks to the landmark ECJ decision, this Safe Harbor is now thrown into jeopardy.
Of Counsel Axel Spies authored this commentary for the American Institute for Contemporary German Studies (AICGS).