Many organizations were left in legal uncertainty when the European Court of Justice invalidated the U.S.-E.U. Safe Harbor program last month. In a landmark ruling, the European Court of Justice held that, due to alleged spying by U.S. government agencies, companies could not ensure adequate protection for data transferred from the European Union to the United States, even if they met the safe harbor’s requirements. Therefore, data transfers under the program had to stop immediately.
E.U. countries operate under the Data Protection Directive. The directive requires E.U. member states to accord their citizens a baseline level of privacy protection for “personal data,” defined broadly as any information that can be used to identify an individual. “Personal data” includes information such as a person’s name, phone number and email address. Under the directive, such data may be transferred lawfully to a country outside the E.U., if the European Commission has determined that the country offers “adequate” protection for personal data, or if other means are taken to ensure sufficient data privacy. This makes data transfers to countries that are not deemed to offer adequate protections difficult, since most data is “personal data” under the directive.
