Our Insights

Thought Leadership and Industry Trends

Home 9 Insights 9 Navigating the Recent Safe Harbor Invalidation
Navigating the Recent Safe Harbor Invalidation
November 10, 2015
Assessing the Impact on International Corporate Data Transfers

Dino E. Medina, Esq.
General Counsel, CDS

In early October 2015, the Court of Justice of the European Union (CJEU) ruled that the U.S.-E.U. Safe Harbor program—created pursuant to European Commission Decision 2000/520/EC—is invalid because it does not allow individual E.U. member states to determine whether the program provides an adequate level of protection for E.U. citizens’ personal data. The decision in this case (Schrems v. Data Protection Commissioner, Case C 362/14) was fueled by Edward Snowden’s statements about NSA surveillance activities in the U.S.   Since this is the highest court in the E.U., its ruling is binding on all E.U. member states and cannot be appealed.

For the past fifteen years, transnational companies including CDS used the Safe Harbor framework as a streamlined, cost-effective means to transfer data from the E.U. to the U.S. without violating the E.U.’s data privacy law, Directive 95/46/EC. It is important to note that, although the framework has been invalidated, there are still Directive- compliant modes of transporting data across E.U. borders and into the U.S.

Key Facts:

  • Ongoing discussions – CDS understands that Department of Commerce (DOC)/E.U. negotiations are ongoing, and the deadline for reaching a new agreement is January 31, 2016.  In the interim, the DOC continues to administer the Safe Harbor program and will likely provide direction to affected U.S. entities in the upcoming weeks.
  • Dispelling rumors – To date, there has been much public commentary on the CJEU’s ruling suggesting that transfers of personal data from the E.U. to the U.S. must cease immediately, and that all E.U. data currently in the U.S. under the Safe Harbor framework remains in-country illegally.  Neither scenario is true.
  • Nation-specific DPAs – Data Protection Authorities (DPAs) of each E.U. member state may now determine on their own whether Safe Harbor-based data transfers offer an adequate level of protection.  If a particular DPA finds it does not, then the DPA is free to suspend such transfers from its jurisdiction.
  • Data currently in the U.S. – The CJEU did NOT require any specific steps be taken with respect to data currently in the U.S. pursuant to Safe Harbor. However, should the DOC and E.U. not agree to a new Safe Harbor framework by the end of January 2016, DPAs will likely begin to take enforcement actions.

Other Options

There are other mechanisms available for cross-border data transfers.

  1. A Data Transfer Agreement with Model Contract Clauses can be used to establish the requirements for data transfers between companies and third-party vendors.
  2. Companies can develop Binding Corporate Rules for intracompany data transfers made transnationally, which require DPA approval for the respective E.U. member state.

CDS will consider these mechanisms on a case-by-case basis and will leverage its full service, London-based data center to maintain data within E.U. borders whenever possible.


Complete Discovery Source (CDS) is a leading eDiscovery company, providing litigation technology and hosting, advisory services, and managed services to support complex discovery matters. CDS is the first choice of the Am Law 100 and Fortune 500 and is recognized as Best in End-to-End eDiscovery by the National Law Journal and New York Law Journal. With a team of seasoned legal experts and technicians, CDS uses advanced, tested, and defensible services and software to support all stages and types of eDiscovery. Supporting a number of eDiscovery tools, CDS is an Orange-Level Best-in-Service Relativity® Provider and provides one of the largest and highest volume footprints delivering that platform.  CDS is headquartered in New York with regional offices in Chicago and Washington DC. The company maintains highly secure ISO 27001 certified hosting and SSAE 16 SOC 1 Type 2 audited data centers in the US and Europe. Complete Discovery Source, Inc. is not a law firm and does not provide legal representation or advice to its clients.  We urge you to obtain legal counsel before taking any actions which may have legal consequences.

About the Author

Dino E. Medina, Esq.

Dino E. Medina, Esq.

In his role as General Counsel for CDS, Mr. Medina is responsible for the overall legal affairs of the company, including drafting and negotiating a wide variety of commercial contracts, advising executive management on corporate strategic initiatives and employment matters, managing litigations, and directing CDS’ compliance and risk management posture in all areas of the business.

Relativity Fest London 2021

CDS is proud to sponsor Relativity Fest London May 18-19. All-virtual and free to attend, RelativityFest London features educational sessions, the latest product news and networking events.

Find out more »

Webinar: Short Message Data Part 2: We’re Not In Document Land Anymore, Toto!

Chat and collaboration platforms are increasingly displacing email as the main mode of business communication. eDiscovery practitioners need to get up to speed.

Find out more »

Sign Up for Our Newsletter