In October 2015, the European Commission's adequacy decision on the Safe Harbor Agreement was invalidated by the Court of Justice of the EU (CJEU) in the Schrems case. The Court considered that the third country concerned must ensure an adequate level of protection safeguarded by its domestic law or international commitments, and that the reliability of such a system, in light of that requirement, is founded essentially on the establishment of effective detection and supervision mechanisms in relation to the protection of fundamental rights. Consequently, the Court found that the Safe Harbor Agreement failed to comply with the requirements of Directive 95/46/EC and established Human Rights law. The judgment was addressed to the Commission. The EU-US Privacy Shield decision has since replaced the Safe Harbor agreement, in providing a basis for personal data transfers from the US to the US companies certified under the scheme.
The Information Commissioner has provided regular updates to the status of the Privacy Shield and remains an active member of the Article 29 Working Party Privacy Shield annual joint review team.