The European Court of Justice declared "Safe Harbor" Scheme invalid
"Safe Harbor" was a self-certification regime intended to ensure adequate protection for personal data transferred from the EU to the US. More than 5,000+ US companies have employed the scheme approved in 2000 by the European Commission by. On 6 October 2015, the Court of Justice of the European Union ("CJEU") declared the decision of the EU Commission on Safe Harbor's approval invalid.
The CJEU ruled that Safe Harbor does not ensure the same level of protection of EU citizen's rights they exercise in the EU, when their personal data is transferred to the US. Further, CJEU confirmed that individuals have the right to challenge the European Commission's decisions relating to data transfer schemes through their national regulators.
Thus, Safe Harbor can no longer be solely relied upon as a valid legal mechanism for data transfers from the EU to the US. Organizations using it would now need to move to alternative data transfer compliance solutions such as model contracts (clauses) or Binding Corporate Rules. Other options also include consent for the data transfer by the individual in question. Another possibility for affected companies is to continue relying on Safe Harbor. The general rule remains that if Safe Harbor ensures an adequate level of protection, the transfer is admissible, but could potentially be challenged.
As to Bulgaria, the Commission for Protection of Personal Data ("CPPD") must comply with the general rules of the EU data protection legislation. In accordance with the CJEU's ruling, it will have the right to review the level of protection provided and to refer any concerns to the attention of the CJEU. The CPPD has not issued any guidance on the matter, yet.