8.10.2015

Safe Harbour No Longer – Major ECJ Decision on EU-US Data Transfers

The European Court of Justice has on 6 October 2015 handed down a decision (Schrems, case C-362/04) holding that transfers of personal data from the EU to the US can no longer take place under the Safe Harbour framework. The framework has widely been relied on as the legal basis for EU-US data transfers, but after the ECJ’s ruling, this will no longer be an option.

The decision directly affects all European companies that have been transferring personal data to Safe Harbour-certified counterparts in the US. The decision will require prompt action by these companies.

The Court’s ruling stems from a complaint filed by Austrian Maximilian Schrems with the Irish Data Protection Commissioner, concerning Facebook’s transfer of his data to the US. Mr Schrems argued that – despite the Safe Harbour framework – the US can no longer be considered to offer an ‘adequate’ level of protection for personal data. Schrem’s claim was made in light of the large-scale surveillance activities of US National Security Agency NSA that were revealed by Edward Snowden.

Despite the Irish Data Protection Commissioner first rejecting Schrems’ claim, the European Court of Justice ultimately agreed with him and invalidated the EU Commission’s decision to authorise data transfers to the US under the Safe Harbour framework.

Under EU and Finnish data protection law, personal data can be transferred out of the EU/EEA only if the destination country provides an ‘adequate’ level of data protection or if other safeguards are met. While the US as a whole has never met the EU’s adequacy requirement, the EU Commission has authorised data transfers to individual companies that have undertaken to comply with the Safe Harbour rules, as these companies have been considered to offer adequate protection.

After the Schrems decision, even Safe Harbour-certified companies are no longer regarded as offering adequate protection for EU citizens’ personal data. An EU company wanting to transfer data to a US company will have to rely on complying with other safeguards in order to justify its US data transfers.

Generally speaking, an EU company can continue to transfer data to the US, despite the Schrems ruling, provided that the company complies with one of the other available safeguard mechanisms:


Additionally, personal data may be transferred to the US where the relevant person gives his or her unambiguous consent to the transfer. However,e.g. when a company outsources IT systems, obtaining consent from all affected employees and customers can be difficult. There are also other safeguard mechanisms available, but they are rarely used by companies due to being impractical.

After Schrems, it will in principle be up to national data protection supervisors to decide on a case-by-case basis whether a data transfer meets all the relevant requirements (unlike Safe Harbour, which was an EU-level authorisation binding on the national supervisors). Nevertheless, the ‘Article 29 Working Party’ (WP29) – a co-operation body for the national EU data protection supervisors – has announced that it will issue uniform guidance for how to comply with the post-Schrems rules later this week. The Finnish Data Protection Ombudsman is expected to issue his own statement after the WP29 guidelines are issued.

We strongly advise companies to review their existing agreements and data transfer arrangements. If the company has relied on the Safe Harbour framework, it must carefully consider how best to comply with the new rules. Companies should also note that even if their direct contract is with a local company, that local company may transfer data onwards to the US. Companies remain fully liable for such transfers, even if they take place further down the subcontracting chain.

Latest references

We advised eQ Community Properties Fund in its acquisition of a property portfolio comprising a health centre in Espoo, a daycare property in Vantaa, an elementary school in Helsinki, and a parking facility property in Helsinki from Ilmarinen Mutual Pension Insurance Company. The lettable area of the first three properties is approximately 13,900 sq.m., while the parking facility offers 120 parking spaces. The portfolio’s tenants include the City of Helsinki, the City of Vantaa, the Western Uusimaa Wellbeing Services County, and Aimo Park Oy. In connection with the transaction, Ilmarinen invested in eQ Community Properties fund as per 31 December 2024.
Case published 9.1.2025
We successfully represented a Finnish manufacturing company in arbitration proceedings under the SCC rules against a global construction company. The dispute was governed by Finnish law and the seat of arbitration was Stockholm, Sweden. The dispute mainly concerned the termination of an erection contract and the right to compensation for delays of the project and for cost increases due to Russia’s invasion of Ukraine. The main questions in dispute were the lawfulness of the termination of the erection contract as well as the consequences of the termination such as the right to costs to complete the project after termination, the right to liquidated damages for delay of the project and adjustment of contract price due to cost increases. The total value of the dispute exceeded EUR 15 million.
Case published 8.1.2025
We advised Korkia Oy in its loan agreement with Nordic Environment Finance Corporation. The financing will support the development and international scale-up of Korkia’s pipeline of solar energy, battery energy storage system (BESS) and onshore wind projects. Korkia is a dedicated investor in renewable energy operating in nine countries. It has a robust development pipeline of over 20 GW in renewable energy and energy storage projects.
Case published 7.1.2025
We acted as the Finnish law legal advisor to Commerzbank AG, which served as the coordinator, bookrunner, documentation agent, facility agent and security agent of an international banking syndicate. This syndicate provided an ECA-covered construction financing facility of more than EUR 1 billion for the Finnish shipyard company Meyer Turku Oy. The loan facility will be used on the construction of one new passenger cruise ship. The newbuilding is the third of the ICON class. According to Meyer Turku Oy the ICON-class ships are the world’s most advanced and the most environmentally friendly cruise ships of their owner, Royal Caribbean Cruise Lines.
Case published 30.12.2024