On October 6, 2015, the European Court of Justice (ECJ) issued a ruling invalidating the U.S.-EU Safe Harbor Framework (Safe Harbor). Safe Harbor is an agreement between the U.S. and the EU designed to create a streamlined way to transfer personal data from Europe to U.S. firms in accordance with European data protection rules. Over 4,000 U.S. companies are currently Safe Harbor self-certified.
Does It Impact Your Company?
Yes, if your company has relied on its Safe Harbor certification for authority to transfer data from the EU to the U.S. for processing (for example, if your company transfers European employees’ personal data back to the U.S. for human resources purposes) or if your company uses vendors or suppliers that have relied on the Safe Harbor to transfer data from the EU to the U.S.
What Are Your Company’s Next Steps?
If you believe your company may be affected by this decision, we recommend working quickly to analyze any cross-border data flows to the U.S. Such analysis includes a thorough review of your company’s supply chain. If your company transfers data from the EU to a U.S. processor, or accesses data of EU data subjects that may be stored or processed by a processor in the EU, we recommend reviewing all agreements executed with such processors, identify which ones have represented they are Safe Harbor certified and promptly work with each such entity to find an alternative means to satisfy the European data protection rules.
For compliance purposes, we also recommend mapping out what kinds of data is processed cross-borders (personal and otherwise), identify the data subjects (customers, employees, etc.) and estimate the amount of transferred data.
How Can Your Company Continue to Transfer Data in the Absence of Safe Harbor?
To the extent that your company or your vendors or suppliers have relied on Safe Harbor for data transfers, you should consider alternative mechanisms to legalize such data transfers, including incorporating the Model Contract Clauses by addenda into current supplier and vendor agreements, implementing Binding Corporate Rules or obtaining prior written consent from all data subjects.
Please contact a member of the McGrath North Privacy and Data Security Group if you have further questions, would like to discuss how the Safe Harbor ruling applies to your company or if you would like additional information on how to make your company compliant with the EU Data Protection Directive.
Read the press release from the European Court of Justice. (http://www.politico.eu/wp-content/uploads/2015/10/schrems-judgment.pdf)