Today the European Court of Justice Europe's highest court invalidated the Safe Harbor agreement and framework that has permitted more than 4,000 companies to transfer personal data from the EU to the U.S. The decision can be found here. In light of this decision, U.S. companies that have been relying on the Safe Harbor framework should immediately take steps to (1) ensure and document their compliance with current safe harbor requirements and (2) implement an alternative method likely a contractual arrangement to lawfully permit the flow of personal data from the EU to the U.S.
What the Decision Means to Businesses
Until today, there were four methods for complying with EU data privacy laws for EU to U.S. data transfers:
Consent of the individual The Safe Harbor framework Model contracts with standard contractual clauses Binding Corporate Rules With the Safe Harbor invalidated and due to the complexities and lengthy time delays associated with relying on consent and Binding Corporate Rules, most U.S. companies will likely rely on putting model contracts with standard contractual clauses (model contracts) in place. The model contracts have been approved by the European Commission as providing adequate contractual protection to ensure the privacy rights of individuals are respected as required by EU privacy law. While the European Court of Justice's ruling could be used by individuals to challenge the validity of transfers based on model contracts, for the time being at least, model contracts remain a viable method for complying with EU's privacy laws.
Obtaining consent from individuals can raise complex issues of the enforceability of informed and voluntary consent, and is generally not effective for obtaining consent of employees. Binding Corporate Rules allow multinational corporations to make transfers among the corporate family across international borders, and are required to be approved by the applicable data protection authorities. Implementing and obtaining governmental approval of Binding Corporate Rules is typically expensive and time-consuming. Accordingly, it would be prudent for U.S. companies to act as soon as possible to work with EU companies whether affiliated or non-affiliated that send personal information to the U.S. to get the contractual protections under the model contracts in place.
If an agreement (e.g., a services or sales agreement) currently exists between the U.S. entity receiving personal...