Checking the permissibility of data transfer to the USA

The end for Safe Harbor – current decision of the ECJ has far-reaching consequences, also for national companies

Collaboration with service providers based in the USA has been critical from a data protection perspective for some time now. Recent incidents such as the NSA affair have raised considerable doubts as to whether an adequate level of data protection can be guaranteed in the USA at all. However, the adequacy of the level of data protection in the recipient country is a prerequisite for data transfer to take place at all.

Many U.S. providers have had themselves certified under the so-called Safe Harbor Agreement in order to be able to demonstrate an appropriate level of data protection. With a recent decision of the European Court of Justice of October 6, 2015 (RS C-362/14), it is now clear that such a Safe Harbor certification is not sufficient for such proof of the adequacy of the level of data protection – the transfer of data to the USA on the basis of such a certification is thus inadmissible with immediate effect.

The decision issued in connection with Facebook’s data retention will have far-reaching consequences. American providers will have to rethink and provide evidence of an adequate level of data protection in other ways than via the Safe Harbor agreement. There is also a need for action for European companies that work with service providers in the USA. Without an alternative regulation, data transfer to the USA will be inadmissible in the future. Companies that work with U.S. service providers must check whether the transfer of data can continue as before. The form of cooperation is ultimately irrelevant. It is sufficient for a company to use cloud services for the storage of data or, for example, software as a service services from a US provider.

If you have any questions about this topic, please contact Dr. Drewes at .