What ECJ's safe harbor ruling mean for EU companies?
On Oct 6th 2015 the European Court of Justice (ECJ) declared that the Commission’s US Safe Harbour Decision is invalid.
Whilst the Court of Justice alone has jurisdiction to declare an EU act invalid, where a claim is lodged with the national supervisory authorities they may, even where the Commission has adopted a decision finding that a third country affords an adequate level of protection of personal data, examine whether the transfer of a person’s data to the third country complies with the requirements of the EU legislation on the protection of that data and, in the same way as the person concerned, bring the matter before the national courts, in order that the national courts make a reference for a preliminary ruling for the purpose of examination of that decision’s validity.
This does not only affect end-users but also and especially European companies who rely on US services like Google Apps (Gmail, Google Drive, etc.), Amazon AWS or just about any cloud service hosted in the US. Companies should now carefully look at which APIs they use and how and where their data is stored.