By its judgment in case C-362/14, the Court of Justice of the European Union (CJEU) declared invalid the Commission Decision 520/2000 on the processing and free flow of personal data from EU towards the US, which established the so-called “Safe Harbor” scheme.

The CJEU clarified that national Data Protection Authorities must be able to examine in total independence the compliance with the Data Protection Directive of any personal data transfer to a third country, irrespective of any relevant Commission Decision. It stated however that national DP Authorities do not have the power to invalidate such Commission adequacy decisions.

Further, considering the massive and indiscriminate surveillance by the US public authorities, the CJEU reached the conclusion that the Safe Harbor scheme does not comply with EU data protection legislation. It was found in this respect that the US national security prevails over the Safe Harbor scheme and that the EU data transferred to the US is processed by the US authorities beyond what is strictly necessary and proportionate to the protection of national security, contrary to EU safeguards. Thus, the Court invalidated the Safe Harbor Decision.

Following this landmark ruling, the Hellenic Data Protection Authority declared unlawful the transfers that are still taking place under the Safe Harbor scheme after the CJUE judgment and invited data controllers to cease any data transfer performed on this basis. This means in practice that countless data flows towards the US that were performed up to now through the Safe Harbor scheme need already an alternative legal basis in order to be lawfully conducted.

The Hellenic Authority recognized that data controllers may still use Standard Contractual Clauses and Binding Corporate Rules as basis for overseas data transfers, it reiterated however its competence to examine and ban any overseas data transfer it deems non-compliant with EU and national laws.