On October 6, 2015, the European Court of Justice (“ECJ”) invalidated the US-EU Safe Harbor Framework (“Safe Harbor”). This ruling will have far-reaching consequences. The Safe Harbor allowed U.S. companies to receive EU citizens’ personal data from the EU if the U.S. companies complied with the Safe Harbor requirements. The Safe Harbor greatly facilitated the transfer of private personal data from the EU to the U.S. by avoiding the necessity of U.S. organizations having to comply with the much stricter EU Data Protection Directive and by allowing the U.S. Federal Trade Commission and Department of Transportation to enforce compliance with the Safe Harbor requirements rather than EU regulators.
The ECJ struck down the Safe Harbor on the grounds that it did not adequately protect the privacy rights of EU citizens by (i) failing to provide them the right to challenge the handling of their data and (ii) allowing self-certified U.S. organizations to disregard the Safe Harbor principles when U.S. national security, public interest and law enforcement requirements prevailed. The European Commission has promised to issue guidance in light of the ruling in the coming weeks.
Since the ECJ’s ruling does not provide a grace period for companies to adjust to the post-Safe Harbor world, U.S. organizations that relied on the Safe Harbor to process personal data from the EU may be running afoul of EU data privacy laws. The ruling shifts the enforcement power over U.S organizations regarding EU citizens’ personal data from the Federal Trade Commission and Department of Transportation to E.U. regulations. Examples of a few immediately available options for US organizations to continue EU-U.S. data transfers include:
- Incorporating EU-approved model contract clauses for existing and future contracts
- Implementing binding corporate rules for intra-company transfers
- Compliance with the EU’s Data Protection Directive
There is a chance that the U.S. and the EU will be able to successfully negotiate a new version of the Safe Harbor, but if this were to occur, it will likely take many months if not years. We will provide you with timely updates on the implications of the Court’s ruling as they become available to us. For more information on how to bring your company’s privacy policies and contracts into compliance following this ruling, please contact Alex Woollcott at [email protected].