Repercussions of the EU Safe Harbor Ruling

Last week, we advised readers of the EU’s determination to reject the Safe Harbor for personal data transfers from the EU nations to the U.S.

The repercussions of this ruling are already starting to be felt within and outside the EU.

The German State Data Protection Authority recently issued a statement that it will no longer permit data transfers to the U.S. based on Standard Contractual Clauses.

Israel, not part of the EU, had previously permitted data transfers to U.S. entities that were in compliance with the Safe Harbor requirements.  In light of the EU’s October 6, 2015 ruling, Israel announced on October 19, 2015, that U.S. entities can no longer rely upon the Safe Harbor as the basis for transfers of personal data from Israel to the U.S.  We may see other countries, which also had accepted the Safe Harbor as the accepted benchmark for personal data transfers to the U.S., now begin to question data transfers for their citizens’ personal information to the U.S.

Lending some (temporary) stability and guidance to this evolving situation, on October 20, 2015, the EU Data Protection Authorities, the European Data Protection Supervisor and the European Commission issued its guidance as to the impact of its October 6, 2015, ruling on the Safe Harbor for personal data transfers to the U.S.:

  • U.S. companies cannot rely upon the Safe Harbor to claim compliance with EU data privacy requirements – and to do so is unlawful.
  • For an interim period – which will end as of January 31, 2016 – Standard Contractual Clauses and Binding Corporate Rules are accepted means of compliance.

Accordingly, at least for the next 3 months, short of building – or leasing space in – a European based data center, the current, next best, and most efficient short-term alternative for U.S. entities may be to adopt the appropriate Standard Contractual Clauses, and to adopt procedures to implement same.

In the meantime, behind the scenes negotiations are ongoing between the U.S. and the EU to come to a new (alternative) safe harbor to resolve the current, seemingly tumultuous, status of personal data transfers from the EU to U.S. based entities.

For more information, please contact your Chiesa Shahinian & Giantomasi PC attorney.

Related Industries

Privacy & Data Security