The European Court of Justice (the “ECJ”) ruled that national regulators in the EU can override the 15-year-old pact between the U.S. and EU known as the “Safe Harbor.” The Safe Harbor allowed companies based in the U.S. to move personal data on Europeans to U.S.-based computer servers without violating the EU’s privacy laws.
The ECJ’s ruling does not order an end to the data transfers, but holds that national regulators have the right to investigate them and suspend them if they do not provide adequate protection for the personal data. European data protection regulators can now pursue companies for violations.
In anticipation of the ECJ’s decision, the European Union Commission had been working on a Safe Harbor framework to replace the framework that has been struck down by the ECJ. However, it is uncertain when or if this replacement framework will be finalized.
Companies that are relying on the U.S.-EU Safe Harbor Framework to comply with the EU Data Privacy Laws need to consider implementing a new strategy. One possibility is to adopt Model Contract Clauses, which can be set up with the EU. However, Model Contract Clauses are based on the Safe Harbor principles and can be subject to a legal challenge. The other possibility is to adopt Binding Corporate Rules. Binding Corporate Rules (BCRs) are designed to allow companies to transfer personal data from the European Economic Area (EEA) outside of the EEA in compliance with the 8th data protection principle and Article 25 of Directive 95/46/EC. BCRs are legally sound, but are more complex to establish.