Fifteen years ago the Commission of the European Communities issued the Safe Harbour decision. This allowed information and data to be transferred out of the EU, which has high privacy and security standards, to US companies that adhere to the Safe Harbor data protection standards. Those standards were deemed to provide an adequate level of protection to satisfy the EU requirements.
Austrian law student Max Schrems took issue with the adequacy of the protection of his Facebook private information from the prying eyes of the US Government provided by Safe Harbour. Edward Snowden’s actions helped to bring that house of cards down. While Safe Harbour protected information within the private sector, it was not enough to protect it from the government. The Commission has therefore ruled that the Safe Harbour Decision is invalid.
Oct 6th, Commissioner Vera Jourová provided two alternatives for the short term: the use of standard data protection clauses in contracts between companies exchanging data across the Atlantic, or binding corporate rules for transfers within a corporate group.
What this means for US companies doing business in the EU is still unclear. What is certain is that privacy and the protection of personal information will be much higher on their priority list – and that is a good thing.