Organisations can no longer rely on the Safe Harbour framework for transfers of personal data from the EU to the US. This is the outcome of a seminal decision by the highest court in Europe. Does this now mean all Safe Harbour-based transfers should immediately be suspended? We don’t think so: model contracts should in most cases provide a viable alternative transfer mechanism.
What is the impact on personal data transfers to the US?
Transfer of personal data to a country outside the European Economic Area, like the US, is in principle prohibited. However, the Safe Harbour scheme provided a framework for transferring personal data from the EU to the US. Now that this framework is invalidated, EU-US transfers need to be based on alternative transfer mechanisms.
Does this affect my organisation?
If you are an EU company using the online services of companies in the US or if you are a US company offering online services to companies or end users in the EU on the basis of the Safe Harbour scheme, this decision affects your organisation.
What is the risk if I don’t take additional measures?
In theory, the implications are far-reaching (significant penalties, suspension of transfers and legal actions). Given the broad adoption of the Safe Harbour framework, and the economic importance of data streams between the EU and the US, it would, however, be unworkable if DPAs would immediately require the termination of all Safe Harbour-based data transfers to the US. We nevertheless advise to switch to alternative transfer mechanisms as soon as possible.
What steps should I take in response to this decision?
The first step is to review your organisation’s data flows to determine which categories of personal data rely on the Safe Harbour scheme and which parties are involved in these data transfers. The second step should be in most cases to conclude model contracts for these transfers. We will gladly help you think this through and meanwhile continue to monitor the legal landscape.
The full text of the decision.