On October 6th, the Court of Justice of the European Union (CJEU) delivered its judgment in Schrems, holding the 2000 Safe Harbour decision of the European Commission to be invalid. The Safe Harbour decision had enabled the easy flow of European personal data into the U.S. for the past 15 years.
Schrems will remain significant even after the Safe Harbour issue is resolved. In particular, the decision clarifies the role of the EU’s data protection authorities (DPAs). The CJEU notes that the DPAs were established to monitor “with complete independence, compliance with the EU rules on the protection of individuals with respect to the processing of….data”. In declaring the Safe Harbour decision invalid, the CJEU essentially wanted to give back the DPAs the power to evaluate the privacy protections for EU citizens on a case-by-case basis for a U.S. destination.
There has been no shortage of write-ups on the invalidity finding and its impact, including a recent look at the alternatives for EU-U.S. data transfers. Ultimately, the Commission and the U.S. government may enter into a new Safe Harbour agreement that may or may not satisfy the CJEU. What is clear is that any restriction of the DPAs powers will not be tolerated.