The Eighth Data Protection principle, which derives from Article 25(1) of Directive 95/46/EC of the European Parliament, is set out in Part 1, Schedule 1 of the Data Protection Act 1998. It provides that personal data shall not be transferred to a country or territory outside the EEA, unless that country ensures an adequate level of protection for the rights and freedom of data subjects in relation to the processing of personal data.

Although no general finding of adequacy has been made in relation to the US, personal data can be transferred to companies in the US which have signed up to the Safe Harbor principles agreed between the European Commission and the US government in 2000 (Safe Harbor Agreement). Companies which sign up to the Safe Harbor Agreement must adhere to a set of standards, which are broadly similar to the principles set out in the Data Protection Act 1998. In practice, however, fewer companies have signed up to the arrangement than had initially been expected.

The European Court of Justice has now been called to rule on whether, in light of the Snowden leaks, Safe Harbor is compliant to the Eight Data Protection principle. The judgment may have a potentially disruptive effect on big companies which collect users’ data in Europe and transfer and process the data in the US, forcing them to store and process data in Europe. The decision and the outcome will be extremely interesting to lawyers and operators dealing with privacy issues.