Safe Harbour is invalid
On 6 October the ECJ delivered its final judgment in the matter of Maximilian Schrems v Data Protection Commissioner and ruled that the European Commission decision 2000/250 (the so-called “Safe
On 6 October the ECJ delivered its final judgment in the matter of Maximilian Schrems v Data Protection Commissioner and ruled that the European Commission decision 2000/250 (the so-called “Safe Harbor decision”), on which a large number of companies relied in the past to transfer personal data from the EU to the US, is invalid.
As a result:
It is not yet clear what enforcement approach EU data protection authorities will take in respect of organizations that fail to put an alternative measure in place. The Article 29 Working Party (= the EU advisory party to the European Commission with membership comprising representatives from all national Data Protection Authorities) is about to meet shortly to discuss this and national Data Protection Authorities are deliberating on the issue at present. It is currently not clear whether there will be a grace period before EU Data Protection Authorities start taking enforcement action against organizations who do not put an alternative solution in place.
Alternative solutions can take the form of executing EU Model Clauses or BCR. However, the BCR process usually takes at least 18 months in our experience, so is far from a 'quick fix' for the interim period. Most businesses will therefore have no choice but to adopt model clauses, which can be difficult in itself as there is no 'one-size' fits all set of model clauses since they differ depending on the data export in question. Whereas one Safe Harbour Certification was able to cover all sorts of data exports, it may now be necessary to apply different model clause solutions for the different types of data that are being transferred.
If you have relied previously on Safe Harbour to transfer personal data from the EU to the US, please do not hesitate to get in touch to discuss the options available for your business going forward. Although it is unlikely that the Data Protection Authorities will immediately start prosecuting companies, this is not an issue that will go away and needs to be dealt with sooner rather than later.
As a result:
- Safe Harbor can no longer be relied upon as an adequate means to transfer data from the EU to the US.
- The judgment essentially reduces the number of EU-US data export options from 3 (Safe Harbour, Model Clauses, Binding Corporate Rules) to just 2 (EU Model Clauses and BCR).
- Safe Harbor 2.0 negotiations continue in the background, and will no doubt be under intense political pressure to conclude soon, but we have no current visibility as to their likely timescale for conclusion. We understand that points of disagreement remain around national security.
- The impact of Safe Harbor invalidity will be felt both by companies that are data controllers of their own data and data processors of their customers’ data.
It is not yet clear what enforcement approach EU data protection authorities will take in respect of organizations that fail to put an alternative measure in place. The Article 29 Working Party (= the EU advisory party to the European Commission with membership comprising representatives from all national Data Protection Authorities) is about to meet shortly to discuss this and national Data Protection Authorities are deliberating on the issue at present. It is currently not clear whether there will be a grace period before EU Data Protection Authorities start taking enforcement action against organizations who do not put an alternative solution in place.
Alternative solutions can take the form of executing EU Model Clauses or BCR. However, the BCR process usually takes at least 18 months in our experience, so is far from a 'quick fix' for the interim period. Most businesses will therefore have no choice but to adopt model clauses, which can be difficult in itself as there is no 'one-size' fits all set of model clauses since they differ depending on the data export in question. Whereas one Safe Harbour Certification was able to cover all sorts of data exports, it may now be necessary to apply different model clause solutions for the different types of data that are being transferred.
If you have relied previously on Safe Harbour to transfer personal data from the EU to the US, please do not hesitate to get in touch to discuss the options available for your business going forward. Although it is unlikely that the Data Protection Authorities will immediately start prosecuting companies, this is not an issue that will go away and needs to be dealt with sooner rather than later.