Europe: US is no Safe Harbour for our data

State surveillance programs spell serious consequences for business – could Canada be next? Last week the Court of Justice of the European Union (CJEU), the highest EU court, issued a judgment in Case C-362/14 that invalidated the Safe Harbour Decision that heretofore had allowed U.S. companies to transfer and store personal data of EU citizens in the US as long as they voluntarily agreed to respect certain principles. This decision will affect over 4700 companies who have EU customers and store and process EU user data in the US. The EU Data Protection Directive provides that the transfer of personal data of EU citizens to a non-EU country “may, in principle, take place only if that third country ensures an adequate level of protection of the data”. Thus, personal data was allowed to be transferred out of the EU if the European Commission finds that the destination country has implemented an adequate framework for data protection by reason of its domestic law or its international commitments. The EU Commission had decided in 2000 that under the ‘safe harbour’ scheme, which was a series of principles concerning the protection of personal data to which U.S. companies could voluntarily subscribe, an adequate level of protection existed for personal data transferred to the US. For US companies, the transfer could have occurred under the safe harbour principles, through contractual undertakings or by relying on other exceptions set out in the Directive. This became known as the Safe Harbour Decision. The Commission has made adequacy findings for other non-EU jurisdictions such as Canada. In this case, a Facebook user named Maximillian Schrems filed...