EU Court Strikes Down U.S.-EU Safe Harbor for Trans-Atlantic Data Transfers
European Court of Justice (the "ECJ") ruled that national regulators
in the EU can override the 15-year-old pact between the U.S. and EU known as
the "Safe Harbor." The Safe Harbor allowed companies based in the
U.S. to move personal data on Europeans to U.S.-based computer servers without
violating the EU's privacy laws.
The ECJ's ruling does not order
an end to the data transfers, but holds that national regulators have the right
to investigate them and suspend them if they do not provide adequate protection
for the personal data. European data protection regulators can now pursue
companies for violations.
In anticipation of the ECJ's decision, the European Union
Commission had been working on a Safe Harbor framework to replace the framework
that has been struck down by the ECJ. However, it is uncertain when or if this
replacement framework will be finalized.
that are relying on the U.S.-EU Safe Harbor Framework to comply with the EU
Data Privacy Laws need to consider implementing a new strategy. One possibility
is to adopt Model Contract Clauses, which can be set up with the EU. However,
Model Contract Clauses are based on the Safe Harbor principles and can be
subject to a legal challenge. The other possibility is to adopt Binding Corporate
Rules. Binding Corporate Rules (BCRs) are designed to allow companies to
transfer personal data from the European Economic Area (EEA) outside of the EEA
in compliance with the 8th data protection principle and Article 25 of
Directive 95/46/EC. BCRs are legally sound, but are more complex to establish.