8.10.2015

Safe Harbour No Longer – Major ECJ Decision on EU-US Data Transfers

The European Court of Justice has on 6 October 2015 handed down a decision (Schrems, case C-362/04) holding that transfers of personal data from the EU to the US can no longer take place under the Safe Harbour framework. The framework has widely been relied on as the legal basis for EU-US data transfers, but after the ECJ’s ruling, this will no longer be an option.

The decision directly affects all European companies that have been transferring personal data to Safe Harbour-certified counterparts in the US. The decision will require prompt action by these companies.

The Court’s ruling stems from a complaint filed by Austrian Maximilian Schrems with the Irish Data Protection Commissioner, concerning Facebook’s transfer of his data to the US. Mr Schrems argued that – despite the Safe Harbour framework – the US can no longer be considered to offer an ‘adequate’ level of protection for personal data. Schrem’s claim was made in light of the large-scale surveillance activities of US National Security Agency NSA that were revealed by Edward Snowden.

Despite the Irish Data Protection Commissioner first rejecting Schrems’ claim, the European Court of Justice ultimately agreed with him and invalidated the EU Commission’s decision to authorise data transfers to the US under the Safe Harbour framework.

Under EU and Finnish data protection law, personal data can be transferred out of the EU/EEA only if the destination country provides an ‘adequate’ level of data protection or if other safeguards are met. While the US as a whole has never met the EU’s adequacy requirement, the EU Commission has authorised data transfers to individual companies that have undertaken to comply with the Safe Harbour rules, as these companies have been considered to offer adequate protection.

After the Schrems decision, even Safe Harbour-certified companies are no longer regarded as offering adequate protection for EU citizens’ personal data. An EU company wanting to transfer data to a US company will have to rely on complying with other safeguards in order to justify its US data transfers.

Generally speaking, an EU company can continue to transfer data to the US, despite the Schrems ruling, provided that the company complies with one of the other available safeguard mechanisms:


Additionally, personal data may be transferred to the US where the relevant person gives his or her unambiguous consent to the transfer. However,e.g. when a company outsources IT systems, obtaining consent from all affected employees and customers can be difficult. There are also other safeguard mechanisms available, but they are rarely used by companies due to being impractical.

After Schrems, it will in principle be up to national data protection supervisors to decide on a case-by-case basis whether a data transfer meets all the relevant requirements (unlike Safe Harbour, which was an EU-level authorisation binding on the national supervisors). Nevertheless, the ‘Article 29 Working Party’ (WP29) – a co-operation body for the national EU data protection supervisors – has announced that it will issue uniform guidance for how to comply with the post-Schrems rules later this week. The Finnish Data Protection Ombudsman is expected to issue his own statement after the WP29 guidelines are issued.

We strongly advise companies to review their existing agreements and data transfer arrangements. If the company has relied on the Safe Harbour framework, it must carefully consider how best to comply with the new rules. Companies should also note that even if their direct contract is with a local company, that local company may transfer data onwards to the US. Companies remain fully liable for such transfers, even if they take place further down the subcontracting chain.

Latest news

Article published 10.4.2025 Sanna Aalto-Setälä joins the Environment, Energy & Green Transition team as Senior Associate Article published 1.4.2025 Castrén & Snellman promotes nine new Senior Associates and a Paralegal Article published 1.4.2025 Private wealth and tax expert Emmi Karvinen promoted to Counsel
All news

Latest references

Piippo – Sale of bale netwrap and baler twine machines and certain trademarks
We are acting as legal advisor to Piippo Plc in the sale of their bale netwrap and baler twine machines, related assets, and trademarks used in Piippo’s business to Portuguese Cotesi S.A. The sale of assets will be carried out in two phases and the final completion of the transaction is expected to occur during the first quarter of 2026. Piippo Oyj’s core business is baling nets and twine and it is one of the leading suppliers in the industry globally. The company’s global distribution network covers more than 40 countries. The company’s shares are listed on the First North Growth Market Finland operated by Nasdaq Helsinki Oy. Founded in 1967, Cotesi is one of the world’s leading producers of synthetic and natural twines, nets and ropes, with operations in Europe, North America and South America and its main production plant in Vila Nova de Gaia, Portugal.
Case published 17.4.2025
KKR – Acquisition of Karo Healthcare
We acted as Finnish legal adviser to KKR in connection with its acquisition of the entire share capital of Karo Healthcare from EQT. The transaction follows Karo’s significant strategic transformation from a Nordic specialty pharma business into a leading pan-European consumer healthcare platform, with an attractive product portfolio spanning core categories such as Skin Health, Foot Health, and Intimate Health, as well as Digestive Health and Vitamins, Minerals & Supplements. KKR & Co. Inc. (NYSE: KKR), is a leading global investment firm that offers alternative asset management as well as capital markets and insurance solutions. KKR sponsors investment funds that invest in private equity, credit and real assets and has strategic partners that manage hedge funds.  Completion of the transaction is subject to customary conditions and regulatory approvals. The transaction is expected to close in the coming months.
Case published 17.4.2025
Savings Banks Group – Sale of Sb Life Insurance
We advised the Savings Banks Group on an arrangement whereby the shares in Sp-Henkivakuutus Oy were sold to Henki-Fennia and at the same time the parties agreed on a long-term distribution cooperation for insurance savings and loan protection products. The closing of the transaction remains subject to regulatory approvals. Sb Life Insurance is a domestic life insurance company, established in 2007, offering insurance savings and risk insurance products to private customers and companies. The Savings Banks and Oma Säästöpankki Oyj act as agents for Sp-Life Insurance. Henki-Fennia is a subsidiary of Keskinäinen Vakuutusyhtiö Fennia, specialising in voluntary life, pension and savings insurance.
Case published 11.4.2025
Readpeak – Capital Investment
We advised Readpeak in an arrangement where Finnish growth fund Voland Partners made an investment in Readpeak. Readpeak is a service platform specialising in native advertising for purchasing, designing, and targeting the distribution of advertising space. Readpeak has quickly risen to a leading position with its platform solution, which enables an easy way to target and schedule communications as part of the news feed on media sites. Readpeak is a company founded in Helsinki in 2014, which has since expanded to nine European market areas and collaborates with over a thousand publishers. Readpeak redefines content-driven advertising using advanced machine learning models, creating added value for both quality media and journalism. Voland Partners is a minority investor specialising in the development of technology companies, with a mission to work together with entrepreneurs to build successful companies responsibly, creating success stories that benefit the entire society. Readpeak is Voland Partners’ sixth investment target, into which the fund company is investing from its first growth fund of 57 million euros.
Case published 10.4.2025
All cases