In a much anticipated decision, the European Court of Justice (ECJ) ruled today that the European Commission’s approval of the US-EU Safe Harbor self-certification program is invalid. Safe Harbor establishes a framework for legitimizing the transfer of EU personal data – including the personal data of EU employees, customers and website visitors – to the United States. The program is used by more than 4,000 US companies.
The decision also makes clear that national data protection authorities in Europe have the power to ensure that personal data is protected in accordance with the Data Protection Directive and the EU Charter of Fundamental Human Rights, and that this power cannot be restricted by a decision of the European Commission. The ECJ concluded that EU citizens’ fundamental right to privacy is at risk under the Safe Harbor program because US companies receiving EU personal data “are bound to disregard, without limitation” the protective Safe Harbor principles when those principles conflict with US national security, public interest and law enforcement requirements.