On Tuesday the Court of Justice of the European Union declared the Safe Harbour regime, which is used to legitimise the transfer of personal data to the US, to be invalid.
This decision has huge ramifications for both US companies processing European personal data in the US as well as companies in Europe that use third party service providers in the US. Many companies transfer personal data to the US as part of their globalised software systems or outsourcing models. These companies will need to review their current contractual arrangements in order to determine the basis on which the transfer of personal data to the US is being legitimised. As data controllers of the personal data, the ultimate responsibilityin ensuring compliance with data protection legislation rests with them.
Companies which are impacted by this decision and currently rely on Safe Harbour will need to take immediate steps to seek an alternative measure to legitimise the transfer of personal data to the US. These steps include the use of the EU Model Clauses or the use of Binding Corporate Rules.
The US and the European Commission negotiations in relation to a ‘new Safe Harbour’ regime are at an advanced stage. However, the Court of Justice’s decision will likely speed up this process. At the press conference yesterday, the Commission indicated a hope that these discussions would be finalised before the end of the year, however, there is no guarantee that this proposed timeline will be met.