The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed. Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company intended to transfer personal information from the EU into the United States traditionally they needed to take one of the following steps to achieve the “adequacy” status required by the Directive:
- Safe Harbor Certification
- EU Model Contracts for Data Transfer
- Binding Corporate Rules
The EU-US Safe Harbor Framework (the “Safe Harbor”) was developed by the United States Department of Commerce and operated by participating companies pledging to adhere to seven privacy principles and agreeing that the FTC could investigate and enforce that adherence. In 2000 the EU Commission reviewed the seven principles, and the FTC enforcement mechanism, and determined that companies which certified their adherence to the framework met the Directive’s adequacy requirement. In October of 2015, however, the European Court of Justice held that the Safe Harbor was invalid as it failed to offer sufficient levels of data protection. Following that decision companies that were on the Safe Harbor could no longer rely upon it as a basis of adequacy.