Frequently Asked Questions

Q: What are the immediate consequences of the Safe Harbor decision?

A:  The Safe Harbor for the transfer of personal data between the EU and the US is no longer valid. For companies relying on Safe Harbor in the past, this decision means that they will either need to find an alternative data transfer strategy, or accept the risk of being technically out of compliance.

Q: What are the effects of the Safe Harbor Ruling in one sentence?

A:The decision created more questions then answers, and many of these will ultimately require political solutions; for the time being formerly safe-harbored companies must decide whether to immediately adopt a different adequacy measure or wait for the legal and political process to unfold.

Q: What are the compliance alternative strategies now that Safe Harbor is no longer valid?

A: There were and still are alternative legal instruments that allow data transfers between the EU and the US. Besides Safe Harbor, the two other means that guarantee an adequate level of data protection are:

  • EU Model Contracts and
  • Approved Binding Corporate Rules

As mentioned during the call, however, the underlying political aspects that lead to the European Court of Justice’s ruling (i.e., the excessive data access and surveillance by US authorities) are not solved by either of these strategies. Therefore, EU Commission decisions that validated these strategies are vulnerable to the same type of arguments that brought down the Safe Harbor.

In addition to the EU Commisson’s decisions national Data Protection Authority (DPA) are also authorized to approve data transfers where they deem that a sufficient level of data protection is guaranteed. As a result, its possible that DPAs may approve a particular company’s strategy even if it does not incorporate the EU Model Contracts or Approved Binding Corporate Rules.

The EU legal framework also allows for data transfers to the US without adequacy measures, e.g. if:

  1. the data subject has given his consent unambiguously to the proposed transfer; or
  2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request.

 Note that both of these exceptions are subject to inconsistent interpretations between and among the member nations (e.g., what constitutes consent, what constitutes necessity for contract, etc.).

Recommendations:

Use Model Contracts - For those companies controlling personal data in the EU and transferring it outside of the EU the Model Contracts are still a valid alternative.

Contract Review - For US data processors that were formerly safe harbor certified we recommend reviewing your client contracts in order to identify potential areas of contractual exposure – i.e., breaches or inaccuracies resulting from the Safe Harbor decision. For example, service provider agreements sometimes contained an obligation to remain Safe Harbor certified for the duration of the contract, or grant special termination rights to the contracting party in case of data protection non-compliance.

Reach out to your local DPA- For those companies acting as a data controller in the EU, consider contacting your local DPA. The local DPAs are the ones who, together with the EU Commission, have the authority to define and enforce adequacy standards.