• Contact Us

US Safe Harbor Provision Suspended

on Wednesday, 07 October 2015.

The European Court of Justice (ECJ) has just ruled that the legal basis used by many businesses for the transfer of personal data to the US is invalid.

The European Court of Justice (ECJ) has just ruled that the legal basis used by many businesses for the transfer of personal data to the US is invalid.

In a case brought against Facebook by an Austrian citizen, Max Schrems, it has said that the Safe Harbor arrangements do not provide adequate protection for the privacy of EU citizens.

This case will have a significant impact in the UK. It affects not only those with US parent or sister companies but all businesses that use outsourced services that use US-based servers. This may include payroll administration, CRM systems, cloud storage, email & website services (eg, online booking) and certain outsourced marketing services.

What does this mean for UK businesses?

The consequence of the ruling is that businesses that currently rely on Safe Harbor will need to review how they ensure that they transfer data to the US in line with the law in the UK. In light of the ECJ ruling, many will now be operating in breach of the Data Protection Act.

The Information Commissioner's Office has indicated in its initial response that it recognises that it will take some time for businesses to carry out those reviews and put new systems in place. That is welcome since it means that there is no immediate threat of enforcement action for non-compliance in this respect.

However, if your business transfers personal data to the US, including by using such tools as Google Drive, Microsoft 365 or other cloud storage, we strongly recommend that you review your position as a matter of some urgency.


To discuss how our experienced data protection team can help you, please contact Serena Tierney on 020 7665 0817, or Andrew Gallie on 0117 314 5623.