8.10.2015

Safe Harbour No Longer – Major ECJ Decision on EU-US Data Transfers

The European Court of Justice has on 6 October 2015 handed down a decision (Schrems, case C-362/04) holding that transfers of personal data from the EU to the US can no longer take place under the Safe Harbour framework. The framework has widely been relied on as the legal basis for EU-US data transfers, but after the ECJ’s ruling, this will no longer be an option.

The decision directly affects all European companies that have been transferring personal data to Safe Harbour-certified counterparts in the US. The decision will require prompt action by these companies.

The Court’s ruling stems from a complaint filed by Austrian Maximilian Schrems with the Irish Data Protection Commissioner, concerning Facebook’s transfer of his data to the US. Mr Schrems argued that – despite the Safe Harbour framework – the US can no longer be considered to offer an ‘adequate’ level of protection for personal data. Schrem’s claim was made in light of the large-scale surveillance activities of US National Security Agency NSA that were revealed by Edward Snowden.

Despite the Irish Data Protection Commissioner first rejecting Schrems’ claim, the European Court of Justice ultimately agreed with him and invalidated the EU Commission’s decision to authorise data transfers to the US under the Safe Harbour framework.

Under EU and Finnish data protection law, personal data can be transferred out of the EU/EEA only if the destination country provides an ‘adequate’ level of data protection or if other safeguards are met. While the US as a whole has never met the EU’s adequacy requirement, the EU Commission has authorised data transfers to individual companies that have undertaken to comply with the Safe Harbour rules, as these companies have been considered to offer adequate protection.

After the Schrems decision, even Safe Harbour-certified companies are no longer regarded as offering adequate protection for EU citizens’ personal data. An EU company wanting to transfer data to a US company will have to rely on complying with other safeguards in order to justify its US data transfers.

Generally speaking, an EU company can continue to transfer data to the US, despite the Schrems ruling, provided that the company complies with one of the other available safeguard mechanisms:


Additionally, personal data may be transferred to the US where the relevant person gives his or her unambiguous consent to the transfer. However,e.g. when a company outsources IT systems, obtaining consent from all affected employees and customers can be difficult. There are also other safeguard mechanisms available, but they are rarely used by companies due to being impractical.

After Schrems, it will in principle be up to national data protection supervisors to decide on a case-by-case basis whether a data transfer meets all the relevant requirements (unlike Safe Harbour, which was an EU-level authorisation binding on the national supervisors). Nevertheless, the ‘Article 29 Working Party’ (WP29) – a co-operation body for the national EU data protection supervisors – has announced that it will issue uniform guidance for how to comply with the post-Schrems rules later this week. The Finnish Data Protection Ombudsman is expected to issue his own statement after the WP29 guidelines are issued.

We strongly advise companies to review their existing agreements and data transfer arrangements. If the company has relied on the Safe Harbour framework, it must carefully consider how best to comply with the new rules. Companies should also note that even if their direct contract is with a local company, that local company may transfer data onwards to the US. Companies remain fully liable for such transfers, even if they take place further down the subcontracting chain.

Latest references

We advised A. Ahlström in establishing a corporate sustainability due diligence process plan which incorporates best practices and tailored solutions based on our expertise within relevant business sectors. Our comprehensive ESG offering also included tailored training for members of the investment team and management team and the board of directors of several portfolio companies. ‘The ESG team at Castrén & Snellman provided us with legal and practical advice around the ESG regulatory tsunami that we need to incorporate in our ESG work,’ comments Camilla Sågbom, Director, Sustainability and Communications, at A. Ahlström Oy. A. Ahlström is a family-owned industrial company, developing leading global specialist positions in Forest & Fiber and Environmental technology sectors.
Case published 5.9.2024
We represented Vapaus Bikes Finland Oy, a company offering employee benefit bikes, in its international EUR 10 million Series A funding round. The investors behind the funding are private equity investors Shift4Good and Superhero Capital Ltd as well as Tesi together with the European Guarantee Fund of the European Investment Bank. The equity-based funding will support the company’s international expansion, software development, platform automation, and the growth of its concept for the second-hand market of bikes. Vapaus Bikes Finland is at the forefront of sustainable mobility services and has been a pioneer in the Employee Benefit Bikes sector since late 2020. It has been ranked among Finland’s fastest growing companies. Shift4Good is an impact venture capital fund focused on the decarbonisation of the transportation sector. Tesi (officially Finnish Industry Investment Ltd) is a state-owned, market-driven investment company that invests in venture capital and private equity funds and directly in Finnish startups and growth companies.
Case published 21.8.2024
We successfully acted for the City of Rovaniemi in a matter concerning offence in public office and damages claims in relation to a significant investment decision made by the city. The defendants were the city’s former municipal corporate officer, who was in an employment relationship, and a city treasurer, who was in a public-service employment relationship and acted as the supervisor of the municipal corporate officer. The criminal matter related to the City Board’s decision to invest EUR 2 million of the city’s funds in bonds offered by a newly established investment company in accordance with a decision prepared by the defendants. A significant part of the company’s operations involved quick loan business. The main legal question in the matter was whether the investment of public funds constitutes an exercise of public authority and whether regulation on offences in public office therefore becomes applicable even to a person in an employment relationship. The municipal corporate officer in an employment relationship was charged with aggravated abuse of public office based on her negligence in the preparation and presentation of the investment decision as well as based on a conflict of interest due to the fact that she had invested her own money in a company that received funding from the investment target presented to the City Board. The charges of an offence in public office against the city treasurer concerned his position as the supervisor and reporter of the city’s investment activities. He was also involved in the preparation and presentation of the City Board’s decision. The processing of the matter started in the District Court of Lapland in June 2022. In its judgment given in August 2022, the District Court stated, based among other things on our argumentation, that the investment of public funds constitutes an exercise of public authority and that regulation on offences in public office can therefore be applied to the municipal corporate officer. The District Court deemed that the conduct of the former municipal corporate officer fulfils the characteristics of abuse of public office and that the conduct of the former city treasurer fulfils the characteristics of violation of official duty with respect to the preparation of the investment decision, but the right to bring charges had become time-barred. Punishments could therefore not be imposed on the defendants, but the defendants were ordered to jointly and severally pay the city approximately EUR 114,000 in damages plus interest for late payment. The city treasurer’s share of the amount was 10%. The prosecutor accepted the judgment but the other parties appealed it to the Court of Appeal. Acting for the city, we pursued claims for both punishment and damages in the Court of Appeal. The Rovaniemi Court of Appeal processed the matter in November and December 2023. In its judgment given in June 2024, the Court of Appeal upheld the District Court’s judgment with respect to the abuse of public office and violation of official duty. The Court of Appeal deemed that the municipal corporate officer had failed in her duty to declare the conflict of interest. In addition, she had failed in her duty to ensure that the prepared decision was in compliance with the city’s investment guidelines and that it had been properly put out to tender. The Court of Appeal also found that the text of the investment proposal was insufficient and misleading and that the municipal corporate officer’s conduct was intentional. As regards the city treasurer, the Court of Appeal held that he had failed in his duty to ensure that the investment proposal to the City Board complied with the investment guidelines, that the presentation was not misleading and that risks were taken into account as required by the investment guidelines. With the judgement, the Court of Appeal took a clear position that abuse in public offices and when exercising public authority is not acceptable. The judgment is also significant as it declares that investing public funds constitutes an exercise of public authority and that the liability for acts in office therefore becomes applicable even to persons in employment relationships. In addition, a key question for the Court of Appeal to assess was defining the amount of economic damage in a matter related to investment activities. The Court of Appeal held based on our arguments that the conduct of the municipal corporate officer and the city treasurer had caused damage to the city. The Court of Appeal increased the amount of damages to EUR 210,000 with the city treasurer’s share limited to 10%. The amount was increased because the Court of Appeal deemed that the city had suffered damage not only in terms of the loss of capital but also in terms of the loss of estimated return on investment. The judgement is not final.
Case published 21.8.2024
We advised Tesi (Finnish Industry Investment Ltd) in its investment in the heavy duty vehicles company Oy Sisu Auto Ab. With this investment, Tesi became an owner in the company with a share of 24.4 per cent. Sisu Auto is a pioneer in the Nordic market in the development of heavy duty vehicles. Sisu’s core competences are in the product development and production of trucks and military vehicles. Tesi is a state-owned, market-driven investment company that invests in venture capital and private equity funds and directly in Finnish startups and growth companies. The investments managed by Tesi total 2.1 billion euros.
Case published 19.8.2024