Just over a month ago we reported the decision of the European Court of Justice, declaring the US Safe Harbor scheme to be invalid (see e-brief

What has happened in the interim –and, more importantly, where does this leave employers in the EU and the US?

In the wake of the ECJ ruling and the void which is left in terms of previous reliance on Safe Harbor:

  • a number of data protection authorities (“DPAs”) across Europe have expressed their own opinions on the implications of the ruling. In the UK, for     example, our own Information Commissioner’s Office has adopted a pragmatic approach, acknowledging there are other EU Commission decisions that can still be helpful to employers and encouraging businesses to not to “rush to other transfer mechanisms that may turn out to be less than ideal… especially with the possibility that a new, improved and perhaps rebranded Safe Harbor will emerge.”;
  • the Working Party reviewing the situation released a brief statement to DPAs concerning enforcement action and when it might (or might not) be appropriate. The statement also set out a time limit of end January 2016 for the implementation of a replacement to Safe Harbor; and
  • negotiations between the EU and the US authorities have accelerated quicker than expected and it appears, in principle at least, that an agreement in relation to “Safe Harbor 2.0” is in place and may be finalised soon, possibly before the Working Party deadline.  

Eversheds recently held a webinar on these issues which can be watched here:https://play.buto.tv/vQM35

Comment

The statement of the UK ICO appears to give business (in the UK at least) a ‘pass’ until the end of January, so some employers relying on Safe Harbor may wish to wait and see how matters progress –especially if a new version of Safe Harbor is likely to be introduced before then. 

Before taking that approach, however, it is important employers consider their risk exposure. For example, those which have data flowing from within European jurisdictions other than the UK to the US may not be in a position to wait and see, respective announcements from other DPAs suggesting that not all may be as lenient as here in UK (such as those in Germany). 

Issues to consider

From an HR perspective, employers should assess:

  1. What personal data flows does your company have to the US? 
  2. Which is the largest in terms of volume of data transferred? Start with these.
  3. Which involve sensitive details e.g. on health? These are high risk, so consider these too in priority. 
  4. Which of these data flows were made in reliance on Safe Harbor? 
  5. To whom were the transfers of data made? Consider internal group transfers and those to third parties.
  6. Do these Safe Harbor based arrangements already include enhanced mechanisms, such as agreed processes and/or contractual provision?
  7. If not, do your arrangements allow you to introduce or insist upon more protective measures if Safe Harbor fails? 
  8. For future contracts and data flows, are your arrangements and HR team up to date on the changes, ensuring no future reliance only on the current Safe Harbor framework?