Privacy Safe Harbor for US/EU Data Transfers is Abolished
October 7, 2015 | Comments Off on Privacy Safe Harbor for US/EU Data Transfers is Abolished
Posted by Kurt E. Anderson
Hold onto your hat, but, on October 6, 2015, the Court of Justice of the EU abolished the safe harbor on which US companies rely for transfers of data between the US and EU. So, as of today, if you are transferring “personal data” between the US and the EU and you are relying on the safe harbor to do so, you are no longer in compliance with the EU Data Protection Directive. Full Stop. If this describes your company, here is what you need to do next.
Since you can no longer rely on the safe harbor, you will have to do the following:
1. Intercompany Transfers: If the data transfer is between companies belonging to the same multinational corporation, then you can get back into compliance by adopting “binding corporate rules” and getting them approved by the national “data protection authority.” The problem with this approach is that it may take 18 months to get such approval. If you can’t put all data transfers on hold that long, see option 2 below.
2. Transfers Between Unaffiliated Companies. For all other transfers, the parties will have to enter into “standard contractual clauses.” There are three types of standard contractual clauses, so you will have to pick which ones apply to your roll as either a data “controller” or a data “processor” or both.
3. Comply. One last thing. Once you’ve adopted approved binding corporate rules or entered into standard contractual clauses, you will actually have to comply with them. This may have far reaching implications for internal policies and practices.
Here are links to some resources that might be helpful.
CJEU Decision Invalidating the US Safe Harbor
Model Contracts for the transfer of personal data to third countries
Model Checklist Application for Approval of
Binding Corporate Rules
A special thanks to Matthias Berger at Field Fisher for alerting me to this development.
Tags: binding corporate rules > controller > EU Data Protection Directive > European Court of Justice > Maximillian Schrems > personal data > Privacy Directive > processor > safe harbor > standard contractual clauses