Today, Oct. 6th, the Court of Justice of the EU (CJEU) ruled that the current U.S.-EU Safe Harbor Program is no longer a valid method for ensuring adequacy under EU Data Protection Directive 95/46/EC for international data transfers.
This significant change in data protection law removes an established data transfer compliance mechanism that has been in place since 2000 and relied on by more than 4,000 U.S. companies.
This ruling causes a period of uncertainty for businesses until the Department of Commerce and the European Commission can agree and put a new U.S.-EU Safe Harbor framework in place. This morning the Department of Commerce commented, “The court’s decision necessitates release of the updated Safe Harbor Framework as soon as possible,” and the UK ICO also added, “Concerns about the Safe Harbor are not new…We understand that these negotiations are well advanced.”
To ensure compliance in the interim, it’s essential to assess and prioritize current data transfers to evaluate the options for your organization. Main considerations include the nature and frequency of the data transfers that have relied on Safe Harbor for the legitimacy. Once a data transfer baseline has been determined, the alternative options include:
- Relying on consent as a justification for your data transfers.
- Introducing Model Clauses for data transfers into your contracts.
- Starting the process to apply for Binding Corporate Rules (BCRs)
- Waiting for a new U.S.-EU Safe Harbor 2.0 to be introduced.
On Friday, TRUSTe will be facilitating a webinar with the Delegation of the European Union to the U.S. This webinar will provide listeners with an opportunity to ask questions on next steps for U.S. companies previously in the Safe Harbor Program.
TRUSTe will continue to monitor the situation closely and provide updates on our blog and email.