Data protection: Safe Harbor – Not as safe as it used to be

On 6th October 2015 the European Court of Justice (ECJ) issued its decision on ECJ Case C-362/14 (Maximilian Schrems vs. Data Protection Commissioner) and declared the Commission's US Safe Harbour decision invalid.

The concept for “Safe Harbour” evolved in the European Union after the European Commission’s decision from 2000 (Decision 2000/520/EC), which stated that a U.S. - based companies which has completed a “Safe Harbour” self – certification procedure are considered compliant with the European requirements for personal data protection. Because of such certification the respective US companies has the right to receive personal data from European legal entities or natural persons without further restrictions, even without the need of obtaining approval by the European data protection authorities.

Following the ECJ’s decision, the member-state data protection authorities need to examine the third-countries data protection adequacy level despite the presence of decision of the European Commission.

Even before the European court of justice’s decision, the Standard Clauses for transfer of personal data to processors established in third countries (“Standard Clauses”), established by the European Commission were seen as the better alternative of the “Safe Harbour” approach. By virtue of European Commission’s decision as of 5 February 2010, the Standard Clauses are considered as offering adequate safeguards for the purposes of Article 26, para. 2 of Directive 95/46/EC of the Parliament and the Council.

The most recent practice of the Bulgarian Data Protection Commission is in the same direction as well. The Bulgarian regulator requires use of Standard Clauses even when the case involved companies, certified under “Safe Harbour”.