The Court of Justice of the European Union today ruled that the European Commission’s decision that the US Safe Harbour scheme provides an adequate level of protection is invalid. Their ruling states:
“In the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the National Security Agency (‘the NSA’)), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities of the data transferred to that country. ”
It further states:
” The scheme is applicable solely to the United States undertakings which adhere to it, and United States public authorities are not themselves subject to it. Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements”
Clearly, this has potentially huge implications for European legal entities who routinely transfer personal data to the United States for processing, including employment information, financial information or clinical trial data. United States entities can no longer be automatically considered “safe” for the purposes of data protection.