The Court of Justice of the European Union ruled this morning that the Safe Harbor regime, which enables transatlantic data transfers from the European Union to the United States, is invalid, thereby giving each national supervisory authority the chance to revisit the question of whether the U. S. provides an adequate level of protection for EU citizens' data. A copy of the decision be found here.
A very quick summary of the case is at the end of this note for those who are interested in more detail.
Consequently, if your company relies on Safe Harbor as the exclusive basis for its transfer of personal data from the EU to the U.S., it may need to find another basis to legitimize the transfer as soon as possible. The primary options are:
(1) Consent of the data subject to the transfer. In most circumstances, the consent needs to be explicit and fully informed to be valid. It should also be noted that consent is not permitted in all EU countries.
(2) Binding corporate rules (BCR) for intragroup transfers. BCRs need to be approved by the relevant national information commissioners, and this is a lengthy process (potentially 18 months or more).
(3) Establish Contracts between the exporting and receiving entities incorporating the Model Contract Clauses. The European Commission has provided Model Contract Clauses that can be incorporated into agreements to ensure adequate protection of the transferred personal data. It should be noted that Model Contract Clauses only address data transfers between an EU exporting entity and U.S. receiving entity and, thus, alone would not solve for all data transfers.
(4) Adequacy Self-Assessment in member states. Certain EU member states accept self-assessment to legitimize the transfer of EU data to the U.S.
It's important to stress that this decision, while important, is not wholesale ban on data transfers to the U.S. and the options above provide viable alternatives for such transfer.
For many U.S. companies, taking a "wait and see" approach may be the most sensible course of action at this very early time, as now each national supervisory authority must determine whether the U.S. provides an adequate level of protection for EU citizens' data. The on-going negotiations of a new safe harbor agreement could also result in reconfirmation of the Safe Harbor program in a way that is also consistent with today's ruling.
We know that this decision is disconcerting for companies who have been relying on Safe Harbor...