A good opportunity to renegotiate terms with your service provider.

This week’s ECJ decision invalidating Safe Harbor serves as a handy opportunity for any EU data controller that is exporting personal data from the EU to the US via a service provider (for example by using a cloud service has some or all of its operations in the US) to renegotiate more favourable terms with that service provider. Some renegotiation of terms will be needed if you have previously been relying on the service provider’s enrolment in the Safe Harbor programme as the means of satisfying your obligation as an EU data controller to ensure an ‘adequate level of protection’ of that personal data once it transfers to the US. Now that Safe Harbor has been declared invalid, other measures will need to be taken to satisfy this statutory burden, for example by incorporating the EU model clauses for data transfers via a service provider, and probably also backing that up with some due diligence to make sure that processes are also in place to back these up. The decision will give a leg up for competing service providers based in the EU who do not need to export data to the US. Accordingly, service providers with hosting or data processing operations in the US will be under pressure to retain business from EU data controllers not only by agreeing to contract terms that allow those customers to comply with EU data protection laws, but also perhaps by agreeing to more competitive terms generally. Such service providers would be well advised to jump the gun by reviewing and updating their standard customer terms accordingly.