8 October 2015

The bombing of Safe Harbour: what now for data transfers to the US?

The Safe Harbour decision was adopted by the European Commission on 26 July 2000. It recognised that US companies could ensure an "adequate level of protection" for data transferred from the European Community to the US by self-certifying to adherence to Safe Harbour Privacy Principles issued by the US Department of Commerce.

Safe Harbour provided a certain amount of comfort for UK businesses storing or processing customer data in the US that their practices were compliant with UK data protection laws, and free from the risk of regulatory intervention and fines. But all that changed on 6 October 2015 when the Court of Justice of the European Union (CJEU) declared Safe Harbour invalid.