For years, companies in the United States have relied on a Safe Harbor to the EU Directives (the stringent privacy requirements imposed by the European Union) to qualify for the ability to transfer protected data between EU countries and the United States. Today, however, the European Court of Justice ruled that the agreement between the EU and the United States that created the Safe Harbor is invalid. In addition, the European Court of Justice indicated that each of the 28 countries comprising the EU may make their own determinations as to how companies collect and use information gathered on its citizens, thereby removing the uniformity among the EU nations with regard to data privacy.
Today’s changes impact many companies within the United States, including health care providers who rely on third party data centers to store and maintain their patient data. Many data centers are located in countries other than the United States, so loss of the Safe Harbor data transfer authority may call into question the ability of health care providers to access and retrieve patient data hosted in third party data centers. While some foreign privacy and security laws are based on whether data to be transferred is that of its own citizens, other foreign laws implicate any protected data that resides within the country’s borders. The EU Directives are commonly viewed as an example of the latter.
There are other grounds for permissible cross-border transfers of data outside the EU. Health care providers who rely on third parties to store and maintain their patient records should immediately contact those vendors to determine whether data is stored in the EU and whether the vendor can rely on another ground for the ability to transfer data between the EU and the United States. Alternative arrangements may be necessary, some of which require time to implement.