In September, Yves Bots, Advocate General of the European Union Court of Justice, submitted an opinion stating that the EU/U.S. Safe Harbor agreement governing international data transfer was insufficient in its current form, remarking that it should allow member states to determine what classifies as the responsible handling of private information as outlined in the EU’s privacy directive. Now the EU Court of Justice (EUCJ) itself has issued a ruling, siding with Bots and potentially creating a host of legal hurdles for U.S. organizations.
In its decision, the EUCJ said, “Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity.”
