EU Safe Harbor for Protection of Personal Data Received from the EU Under Fire

Yesterday, the European Union’s (“EU”) highest court struck down the pact that created the European Union Safe Harbor. This ruling will now call into question and scrutiny US-based companies’ compliance with EU personal data privacy requirements applicable to (i) the transferring of personal information regarding individuals who reside in the EU from the EU to the US and (ii) the maintenance of databases in the US which house that personal information. To be clear, the ruling found that national regulators can override the Safe Harbor, not that the Safe Harbor is completely invalid.

What does this ruling mean? The Safe Harbor may not apply in any given member nation within the EU. As a result, companies that were relying upon the Safe Harbor should immediately revisit whether they should take other actions, legally and/or technologically, to comply with EU privacy requirements. The solution may be to establish an EU consumer data processing and hosting center. Another option may be to enter into a data transfer agreement.   

The underlying European Commission’s Directive on Data Protection went into effect in October 1998, and prohibits the transfer of personal data to non-EU countries that do not meet the EU “adequacy” standard for privacy protection. EU legislation requires registration of databases with independent government data protection agencies within the EU, and in some instances prior approval before personal data processing may begin.

The Safe Harbor had allowed US companies that stored personal data of citizens of the EU to satisfy the EU “adequacy” cost effectively. Among other benefits afforded by the Safe Harbor, were that claims relating to data gathering and storage asserted by EU citizens against US organizations would be heard, with limited exceptions, in the United States.

If your business has been relying upon the Safe Harbor, please contact your Chiesa Shahinian & Giantomasi PC attorney to discuss your options and the requirements of the EU member nations.

Related Industries

Privacy & Data Security