In a decision with significant potential ramifications for flows of personal data from the European Union to the United States, the Court of Justice of the European Union (CJEU) handed down its judgment in Maximillian Schrems v Data Protection Commissioner (Case C-362/14) that the Safe Harbor Decision no longer provides adequate protection for data transferred between the EU and the U.S. What once had been a valid method of transferring data from the EU to the U.S. for more than 15 years, has now been professed immediately invalid and subject to further investigation by each of the EU Member States’ national data protection authorities with “all due diligence”.
In a October 6, 2015 press statement, EU officials did not make any specific mention of a grace period for businesses to put in place alternative measures, but promised a coordinated response to the situation from national supervisory authorities, and pointed to existing methods of establishing adequate protection under the EU regime. The opinion permits member state data protection authorities to independently investigate complaints related to countries that the Commission has deemed to provide adequate levels of data protection.
While the full impact of this decision is currently unknown, it could have far reaching implications for global life sciences companies. Specifically, companies certified to the Safe Harbor list will need to find alternate legal mechanisms to transfer data, and they will need to consider the impact of this decision on any vendors/suppliers used by the company, as many are likely certified to Safe Harbor.
For more details regarding this decision, read the Reed Smith Client Alert or contact Cynthia O’Donoghue, Daniel Kadar, Kate Brimsted, Dr. Thomas Fischl, Philip Thomas, Katalina Bateman, Doretta Frangaki, Caroline Gouraud, Chantelle A. Taylor and Tom C. Evans.