What did the European Court of Justice decide regarding the validity of the U.S.-EU Safe Harbour Framework?

On 6 October, 2015, the European Court of Justice (ECJ) ruled that the 15-year-old Safe Harbour Framework between the U.S. and the EU that provided a legal basis for the transfer of personal data from the EU/EEA to the United States was invalid with immediate effect. At the time of the court decision, approximately 4,500 U.S. companies were certified, including many companies in the high technology sector. For more information on the Safe Harbour Framework, visit the U.S. Department of Commerce’s website

What is the U.S.-EU Safe Harbour Framework?

The U.S.-EU Safe Harbour Framework was established in 2000 by the U.S. Department of Commerce in consultation with the European Commission to bridge the differences in approaches to privacy between the U.S. and the EU and provide a streamlined process for the transfer of personal data from the EU/EEA to the U.S. Under Safe Harbour, eligible U.S. companies processing personal data collected in the EU/EEA could opt into the Safe Harbour programme by self-certifying their adherence to the seven Safe Harbour principles and 15 frequently asked questions. These were designed to assist eligible organisations to comply with the EU Directive 95/46/EC on the protection of personal data and maintain the privacy and integrity of that data.

What do EU and EEA stand for?

The European Union (EU) is an economic and political partnership between 28 European countries that together cover much of the European continent. The European Economic Area (EEA) unites the EU Member States and the three EEA European Free Trade Association (EFTA) States (Iceland, Liechtenstein and Norway) into an internal market governed by the same basic rules. These rules aim to enable goods, services, capital and people to move freely about the EEA in an open and competitive environment, a concept referred to as the four freedoms.

What does the Safe Harbour ruling by the European Court of Justice mean when it comes to the transfer of data from the EU/EEA to the U.S.?

If an U.S. company was certified under Safe Harbour, it is now required to find another approved method for transferring personal data from the EU/EEA to the U.S.

What are Standard Contractual Clauses/Model Contracts?

Standard Contractual Clauses (SCCs), otherwise known as Model Contracts, are contract terms that have been approved by the European Commission (EC) as ensuring adequate protection for data subjects in accordance with the EU Data Protection Directive 95/46/EC when transferring personal data from the EU/EEA to non-EU/EEA countries, including to the U.S.

How does the decision to invalidate Safe Harbour affect my company’s use of Adobe products?

Prior to the decision by the European Court of Justice (ECJ), Adobe relied primarily on its certification to the Safe Harbour Framework to ensure adequate protection for the transfer of personal data from the EU/EEA to the U.S. Following the ECJ’s decision, Adobe has decided to authorise these personal data transfers using European Commission-approved Standard Contractual Clauses (also referred to as Model Contracts).

As an Adobe customer, can I request that all of the personal data processed by Adobe be stored on Adobe’s servers in the EU/EEA?

While Adobe does have data centres located in the EU/EEA that can be used by some of our products and services, our cloud services may still require data to be transferred to the United States to provide some features. In addition, Adobe personnel may need access to data stored in the EU/EEA from a non-EU/EEA country to provide support services. Under EU law, any access to data residing in the EU/EEA by anyone located in a non-EU/EEA country triggers the rules of transfer to a non-EU/EEA country. As such, an agreement that includes the Standard Contractual Clauses (SCCs) may still be required even if your data is stored in the EU/EEA.

What if I have additional questions?

Enterprise customers may contact their Adobe sales representative with additional questions.

What did the European Court of Justice decide regarding the validity of the U.S.-EU Safe Harbour Framework?

On 6 October, 2015, the European Court of Justice (ECJ) ruled that the 15-year-old Safe Harbour Framework between the U.S. and the EU that provided a legal basis for the transfer of personal data from the EU/EEA to the United States was invalid with immediate effect. At the time of the court decision, approximately 4,500 U.S. companies were certified, including many companies in the high technology sector. For more information on the Safe Harbour Framework, visit the U.S. Department of Commerce’s website

What is the U.S.-EU Safe Harbour Framework?

The U.S.-EU Safe Harbour Framework was established in 2000 by the U.S. Department of Commerce in consultation with the European Commission to bridge the differences in approaches to privacy between the U.S. and the EU and provide a streamlined process for the transfer of personal data from the EU/EEA to the U.S. Under Safe Harbour, eligible U.S. companies processing personal data collected in the EU/EEA could opt into the Safe Harbour programme by self-certifying their adherence to the seven Safe Harbour principles and 15 frequently asked questions. These were designed to assist eligible organisations to comply with the EU Directive 95/46/EC on the protection of personal data and maintain the privacy and integrity of that data.

What do EU and EEA stand for?

The European Union (EU) is an economic and political partnership between 28 European countries that together cover much of the European continent. The European Economic Area (EEA) unites the EU Member States and the three EEA European Free Trade Association (EFTA) States (Iceland, Liechtenstein and Norway) into an internal market governed by the same basic rules. These rules aim to enable goods, services, capital and people to move freely about the EEA in an open and competitive environment, a concept referred to as the four freedoms.

What does the Safe Harbour ruling by the European Court of Justice mean when it comes to the transfer of data from the EU/EEA to the U.S.?

If an U.S. company was certified under Safe Harbour, it is now required to find another approved method for transferring personal data from the EU/EEA to the U.S.

What are Standard Contractual Clauses/Model Contracts?

Standard Contractual Clauses (SCCs), otherwise known as Model Contracts, are contract terms that have been approved by the European Commission (EC) as ensuring adequate protection for data subjects in accordance with the EU Data Protection Directive 95/46/EC when transferring personal data from the EU/EEA to non-EU/EEA countries, including to the U.S.

How does the decision to invalidate Safe Harbour affect my company’s use of Adobe products?

Prior to the decision by the European Court of Justice (ECJ), Adobe relied primarily on its certification to the Safe Harbour Framework to ensure adequate protection for the transfer of personal data from the EU/EEA to the U.S. Following the ECJ’s decision, Adobe has decided to authorise these personal data transfers using European Commission-approved Standard Contractual Clauses (also referred to as Model Contracts).

As an Adobe customer, can I request that all of the personal data processed by Adobe be stored on Adobe’s servers in the EU/EEA?

While Adobe does have data centres located in the EU/EEA that can be used by some of our products and services, our cloud services may still require data to be transferred to the United States to provide some features. In addition, Adobe personnel may need access to data stored in the EU/EEA from a non-EU/EEA country to provide support services. Under EU law, any access to data residing in the EU/EEA by anyone located in a non-EU/EEA country triggers the rules of transfer to a non-EU/EEA country. As such, an agreement that includes the Standard Contractual Clauses (SCCs) may still be required even if your data is stored in the EU/EEA.

What if I have additional questions?

Enterprise customers may contact their Adobe sales representative with additional questions.

Questions or concerns

If you have any complaints regarding our compliance with the Safe Harbour programme, you should first contact us. If the complaint cannot be resolved through our internal dispute resolution process, you may submit your complaint to JAMS for mediation under the JAMS International Mediation Rules, which are accessible on the JAMS website at www.jamsadr.com.

This policy may be changed from time to time as permitted under the Safe Harbour programme. Learn more.

European Court of Justice Safe Harbour Ruling FAQs | Adobe Safe Harbour Privacy Policy

Last updated: 7 December 2015

European Court of Justice Safe Harbour Ruling—FAQs

On 6 October, 2015, the European Court of Justice (ECJ) issued its decision in the case of Maximillian Schrems v. Data Protection Commissioner, finding that the U.S.-EU Safe Harbour Framework is invalid with immediate effect. The suspension of Safe Harbour affects many companies that need to transfer personal data from the European Union (EU) and the European Economic Area (EEA) to the United States and to other non-EU/EEA countries. Adobe has evaluated various options that will allow for the transfer of personal data from the EU/EEA to non-EU/EEA countries. Like many companies, Adobe has decided to authorise these personal data transfers using European Commission-approved Standard Contractual Clauses (also referred to as Model Contracts).

Adobe Safe Harbour Privacy Policy

Last updated: 18 June 2014

Adobe Inc. (our U.S. company) has certified to U.S.-E.U. Safe Harbour Framework and the U.S.-Swiss Safe Harbour Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data from our subsidiaries, corporate customers and other business partners in the European Union member countries and Switzerland. To learn more about the Safe Harbour programme and to view the certification for Adobe Inc., visit https://www.ftc.gov/business-guidance/privacy-security/us-eu-safe-harbor-framework.

This Adobe Safe Harbour Privacy Policy describes how we handle personal information (1) collected by Adobe subsidiaries, our corporate customers and other business partners located in the European Economic Area (the EEA) and Switzerland, which is then transferred to Adobe Inc. in the United States; and (2) received from companies that use one of Adobe’s hosted services (learn more) who operate in the EEA and Switzerland and processed by Adobe Inc. in the United States on behalf of the company. This Safe Harbour Privacy Policy supplements the Adobe Privacy Policy.

Personal information

Adobe Inc. may receive personal information from Adobe subsidiaries (see list of Adobe entities and our acquired companies), our corporate customers and other business partners in the EEA and Switzerland, such as name, email address, company name, title, postal address, telephone number and preferences regarding our applications and websites. Any personal information sent to us may be used by Adobe Inc. and its subsidiaries and their agents and business partners for the purposes described at the time the information was collected. If you agree to receive email or telephone marketing from us, personal information we receive will also be used for those purposes, as described in the Adobe Privacy Policy. If we plan to use personal information for a purpose that is incompatible with these purposes or if we plan to disclose personal information to a kind of company not described here, we will seek your consent to such uses or disclosures.

Agents and service providers

Adobe Inc. works with several companies to help us to deliver our services to you on our behalf. These companies provide services such as offering customer support, processing credit card payments and sending emails on our behalf. In some cases, these companies will have access to some of your personal information in order to provide services to you on our behalf. They are not permitted to use your information for their own purposes. Adobe Inc. requires that its agents and service providers that have access to personal information received by Adobe Inc. from the EU or Switzerland subscribe to the Safe Harbour Privacy Principles, be subject to the EU Privacy Directive or another adequacy finding or enter into a written agreement that requires them to provide at least the same level of privacy protection as is required by the relevant Safe Harbour Principles.

Security

Adobe Inc. uses reasonable physical, electronic and administrative safeguards to protect your personal information from loss; misuse; or unauthorised access, disclosure, alteration or destruction.

Data integrity

Adobe Inc. takes reasonable steps to ensure that your personal information we process is accurate, complete and current by using the most recent information provided to us.

Accessing and updating your information

You can request to review, update or delete your personal information.

Information processed by Adobe on behalf of a company using an Adobe hosted service

Adobe Inc. provides hosted services to companies (learn more). As part of providing these hosted services, Adobe Inc. may receive and process your personal information if you are a customer of one of these companies. When Adobe Inc. provides these services, we are referred to as a data processor. As a data processor, Adobe Inc. acts on the instructions of these companies and uses reasonable physical, electronic and administrative safeguards to protect this personal information from loss; misuse; or unauthorised access, disclosure, alteration or destruction. Companies that use an Adobe hosted service are responsible for complying with all other obligations in relation to the personal information they may collect from you.

European Court of Justice Safe Harbour Ruling—FAQs

What did the European Court of Justice decide regarding the validity of the U.S.-EU Safe Harbour Framework?

What is the U.S.-EU Safe Harbour Framework?

What do EU and EEA stand for?

What does the Safe Harbour ruling by the European Court of Justice mean when it comes to the transfer of data from the EU/EEA to the U.S.?

What is Adobe doing in regards to the decision by the European Court of Justice to invalidate the U.S.-EU Safe Harbour Framework?

What are Standard Contractual Clauses/Model Contracts?

How does the decision to invalidate Safe Harbour affect my company’s use of Adobe products?

As an Adobe customer, can I request that all of the personal data processed by Adobe be stored on Adobe’s servers in the EU/EEA?

What if I have additional questions?

Adobe Safe Harbour Privacy Policy

Information collected by Adobe subsidiaries, corporate customers and business partners

Questions or concerns

Changes or updates