The U.S.-EU Safe Harbor was invalidated by the European Court of Justice (ECJ) yesterday in Schrems v. Data Protection Commissioner, meaning that the Safe Harbor no longer provides a legal basis for transfers of personal information from the EU to the United States. Companies that have relied on the Safe Harbor to justify the transfer of personal data from the EU to the United States now need to move quickly to put in place alternative bases for such transfers, so that they are not found out of compliance with European privacy laws. These mechanisms can include obtaining the unambiguous consent of data subjects, EU-approved model contract clauses (which do not require any regulatory consent), or binding corporate rules (which must be approved by at least one EU data protection authority). The ECJ’s decision does not immediately affect the U.S.-Switzerland Safe Harbor, but it may have implications for that scheme as well.
Although the United States and EU have been negotiating over changes to the Safe Harbor, and these negotiations will continue, it is unlikely that a “Safe Harbor 2.0” will be agreed to any time soon, and any such agreement will be subject to challenge in every EU member state, promising years of uncertainty. So companies should not wait for a new Safe Harbor to be put in place, but should determine which of the alternative bases for EU-to-U.S. data transfers fits their business the best, and move expeditiously to implement the necessary contracts, rules, and procedures.