Data protection law update

Published on 28th Apr 2015

Safe Harbour regime 

The Safe Harbour regime has been in troubled waters for some time and now risks being torpedoed even sooner than expected. Following a referral by the Irish High Court in the case Schrems v Data Protection Commissioner in June 2014, the European Court of Justice (ECJ) is set to rule on (i) whether “the proper interpretation of the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the Commission Decision of 26 July 2000 on the adequacy of the protection provided by the safe harbour privacy principles should be re-evaluated“, and (ii) whether as a consequence the Irish Data Protection Commission can “look beyond or otherwise disregard” the aforementioned Commission Decision on Safe Harbour. 

The hearing before the ECJ took place on 23 March 2015, during which the counsel for the European Commission conceded that “under Safe Harbour as it is currently applied in the US there is no guarantee that fundamental rights of EU data subjects will be respected“. The advocate general (Mr. Bot) is expected to submit his opinion to the ECJ on 24 June 2015. The final decision by the ECJ is expected later this year, during fall. Needless to say that the decision by the ECJ may have major implications for data flows between the EU and the US. If the Safe Harbour regime is invalidated or annulled, US companies will still be able to extract personal data from the European Union, but will have to do so, using other, more burdensome, tools available under the current Directive 95/46/EC

This and other data protection news will be covered more extensively in our data protection newsletter, coming out later this spring.


Belgium-based Counsel Ann-Sophie De Graeve and Senior Associate Johanna Van Herreweghen co-wrote an article for DataNews, titled The employee as a pawn in the battle for cyber security. In the article, Ann-Sophie and Johanna explore the role of employees in a company’s cyber security strategy: how employees can put companies at risk but also how companies can incentivize and train employees to be vigilant and a first line of defence against corporate cyber security threats. The article is available in Flemish and French.

Interested in hearing more from Osborne Clarke?

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?