The global data protection community was issued a major blow early on Tuesday, October 6, 2015, when the Court of Justice of the European Union (“CJEU”) (the European Union’s highest court) declared the fifteen year old EU-US Safe Harbor framework invalid as a mechanism to legitimize the transfer of personal data from the European Union to the United States. Thousands of organizations have relied on Safe Harbor, and now these transfers are effectively unlawful.
The issue centered around the fact that Safe Harbor does not protect European citizen’s fundamental rights of privacy, because it has been unable to prevent the types of large scale surveillance activities by US intelligence agencies that came to light through Edward Snowden in 2013. The full text of the ruling is available here, with a press summary available here.
What does this decision mean to US companies with European operations?
Multi-national companies that have relied on Safe Harbor to transfer and process personal data on employees, customers, suppliers or other third parties are now unlawful unless they are specifically authorized by a data protection authority or fall within another compliance framework. This impacts both intra-group data transfers as well as transfers to third party service providers that receive personal data on European citizens from its customers.
Multi-national companies that want to stay compliant and continue to transfer and process personal data on European citizens should remain pro-active and take the following reasonable steps, until a more permanent solution such as Binding Corporate Rules can be adopted.
1. Identify and document the key data transfers, both within the organization and with third party data processors. Rank and prioritize the key data transfers for implementing alternative contractual solutions.
2. For third party data processors, review the existing contracts to determine if they provide adequate data protection. If the contract relies on Safe Harbor, inquire with the service provider if it can implement a suitable alternative contractual solution.
3. For intra-group data transfers, beginning with the key data transfers, implement alternative contractual solutions.
Multi-national companies that continue to transfer and process personal data from European citizens without implementing an alternative contractual solution, Binding Corporate Rules, or receiving the authorization from a data protection authority risk exposing themselves to legal action that can result in monetary fines or a prohibition on data transfers from the EU to US. For companies that have come to rely and develop business models on this trans-Atlantic data transfer, the consequences of not continuing to transfer this data can be catastrophic.
Lastly, as an alternative solution, multi-national companies can re-architect their systems to keep data local within a country or region, effectively eliminating data transfers. However, this solution is often not reasonable, efficient, and cost effective for most organizations.
