Safe Harbor Invalid: Recorded Webinar and US Reaction

By Ruth Boardman, Ariane Mole, Gabriel Voisin


Following the CJEU ruling, which invalidated the Safe Harbor regime governing EU/US data transfers, experts from multiple Bird & Bird offices hosted a complimentary webinar to analyse the decision, its consequences and potential implications for businesses. Please click on the link below to access a recording of this webinar.  

View the Webinar >

US Reaction

A number of key US individuals and organisations have also offered their opinion on the judgment. A selection of "soundbites" can be found below. Whether from government officials, trade bodies or companies, the statements highlight their general dissatisfaction with the decision, concerns about a consequent lack of legal certainty and a desire to encourage the swift implementation of an new, improved 'safe harbor' agreement.

Penny Pritzker – US Secretary of Commerce:

"We are deeply disappointed in today’s decision from the European Court of Justice, which creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy. We are prepared to work with the European Commission to address uncertainty created by the court decision so that the thousands of U.S. and EU businesses that have complied in good faith with the Safe Harbor and provided robust protection of EU citizens’ privacy in accordance with the Framework’s principles can continue to grow the world's digital economy.” 

See the full statement here.

Josh Earnest – White House Press Secretary:

“There is concern about the economic consequences of the judgment… We are disappointed that the court has struck down an agreement that, since 2000, has proved to be critical in protecting privacy and fostering economic growth both in the US and EU. We will work with the Commission to produce an updated safe harbour agreement.

We have a variety of concerns about this ruling…we believe this decision was based on incorrect assumptions about data privacy protections in the United States.”

See Youtube video of the statement here.

Michael Daniel – White House Cybersecurity Co-ordinator:

The decision is not surprising, but "could potentially be disruptive to U.S. companies depending on how the Europeans choose to implement it... I am convinced that it will be in the interest of both the United States and Europe to figure out how to enable data to flow for commercial purposes across the Atlantic in either direction. Ultimately we will figure out how to do that."

See report here.

Senator Ron Wyden:

This will result in "open season" on American businesses. "This misguided decision amounts to nothing less than protectionism against America’s global data-processing services and digital goods. It is a mistake that will wreak havoc on businesses on both sides of the Atlantic.”

See report here.

US Chamber of Commerce:

“It is particularly alarming that this longstanding agreement has been invalidated with no discussion of a transition period or guidance regarding how companies should comply with the law while a new agreement is negotiated or as they transition to new mechanisms. The European Commission, along with Member State Data Protection Authorities, should quickly provide guidance to ensure that businesses and consumers don’t experience a disruption in the products and services on which they rely.

While data may be shared across the Atlantic under mechanisms other than the Safe Harbor Agreement, these alternatives involve the negotiation of tens of thousands of individual contracts or other onerous procedures that are only practical for the largest of companies… Small and medium-sized firms on both sides of the Atlantic will bear a disproportionate share of the burden of coping with new legal and administrative requirements and a lack of legal certainty.

Too many politicians and pundits overlook the fact that the Safe Harbor Agreement is vital to the ability of European firms to conduct business across the Atlantic. European consumers will also suffer diminished access to modern data-driven services in smaller EU markets. For all these reasons, we urge the European authorities to act swiftly to address this issue.”

See the full statement here.

US Software & Information Industry Association (Industry group representing Apple & Oracle etc):

“We urge the European Commission to issue guidance to assure companies how they can continue to transfer data across the Atlantic until such time as a new safe harbor is put into place."

See report here.

US Internet Association (Industry group representing Twitter, Google, Facebook, Netflix and Uber etc):

“Internet companies have mechanisms in place to effectuate data transfers beyond the Safe Harbor, but smaller companies and consumers both in the EU as well as in the U.S. could experience significant challenges going forward.

In light of this far reaching European Court of Justice ruling, the Internet Association calls on the U.S. and EU to join forces to implement a revised Safe Harbor framework and to issue interim guidance to stakeholders pending this implementation. The Internet industry has consistently supported surveillance reform, including the Judicial Redress Act which would extend certain U.S. privacy protections to EU citizens. We reiterate our support for this legislation and look forward to its swift passage through Congress.”

See full statement here.


"This case is not about Facebook. What is at issue is one of the mechanisms that European law provides to enable essential transatlantic data flows.

"Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbour. It is imperative that EU and U.S. governments ensure that they continue to provide reliable methods for lawful data transfers and resolve any issues relating to national security.

We will of course respond fully to any enquiries by our regulator the Irish Data Protection Commission as they look at how personal data is being protected in the US. The outcome...will have significant implications for all Irish companies who transfer data across the Atlantic."

See reports here and here.


"We don’t believe today’s ruling has a significant impact on our consumer services.

For Microsoft’s enterprise cloud customers, we believe the clear answer is that yes they can continue to transfer data by relying on additional steps and legal safeguards we have put in place. This includes additional and stringent privacy protections and Microsoft’s compliance with the EU Model Clauses, which enable customers to move data between the EU and other places – including the United States – even in the absence of the Safe Harbor. Both the ruling and comments by the European Commission recognized these types of steps earlier today. Microsoft’s cloud services including Azure Core Services, Office 365, Dynamics CRM Online and Microsoft Intune all comply with the EU Model Clauses and hence are covered in this way.

Today’s decision obviously raises important points and makes it even more important for the European Commission and the U.S. Government to reach agreement on a path forward. We support this effort. It also makes clear the need for broader reforms of digital privacy laws around the world to strike a better balance between personal privacy and public safety. This is something we’ve been arguing for some time."

See full blog post here.


Stated that they have EU-approved systems in place so that data-transfers would be uninterrupted. “Customers can continue to run their global operations."

See report here.

See also:

Main Safe Harbor page >

EU-US Privacy Shield: Latest updates from our Data Protection team EU-US Privacy Shield Portal