07 Oct 2015The Court of Justice of the European Union (CJEU) has declared Safe Harbour invalid.
Until now, anyone transferring data from the EU to the US was able to rely on an EU commission decision that the US Safe Harbour regime provided sufficient levels of security to satisfy EU data protection requirements. However, the CJEU has declared that EU commission decision invalid.
Anyone currently relying on Safe Harbour as a means of EU-US transfer compliance needs to take note!
This very recent decision is likely to have huge implications for anyone involved in the transfer of data between the EU and the US. The full implications of the decision will become clearer in time but the following standout as immediate implications for anyone involved in EU–US data transfers:
- Safe Harbour can no longer be relied upon as providing an adequate means of protection for data transfers to the US;
- Anyone currently relying on Safe Harbour as a means of satisfying EU–US data transfer requirements will have to completely revise their basis for achieving data compliance in respect of that transfer;
- This will affect both data controllers and data processors.
- Data controllers will need to find a speedy alternative solution to meet their compliance requirements, the most likely, and immediate, means of doing so is likely to be through the use of EU Standard Model Clauses;
- Data processors involved in US data transfers will need to look very carefully at the contractual provisions, particularly their contracts, privacy policies and any other documents relating to data transfer;
- Binding corporate rules are also a solution but will take longer to implement, so Model Clauses are likely to be the most effective way of achieving a speedy solution;
- There’s likely to be a grace period to allow companies to make suitable adjustments to their EU-US data transfer arrangements but there’s no telling how long will be allowed; and
- It’s also likely that the EU and US authorities will agree a suitable replacement for Safe Harbour (Safe Harbour v2) but that will take time and in the meantime companies need to put in place suitable means of compliance.
This decision was issued only yesterday, so it will take time for it to take full effect and for the implications to become clear. Nevertheless, we recommend that anyone affected starts an immediate review of their data compliance position.
The CJEU decision is here and their related press release is here.