As we wrote on October 6, 2015, the Court of Justice of the European Union (CJEU) announced its invalidation of the U.S.-EU Safe Harbor program as a legally valid pathway for transferring personal data of European Union (EU) residents from the EU to the United States. An avalanche of reports, analyses and predictions followed the CJEU announcement because so many U.S. businesses operating in the EU relied on the validity of the Safe Harbor program.
As we expected, the CJEU decision was not the final chapter. On October 16, the Article 29 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (the Working Party, an independent advisory board to data protection authorities in EU members states) called on the EU member states to “open discussions with the US” to find a viable alternative to the Safe Harbor program.
Echoing the CJEU’s concern about “massive and indiscriminate surveillance” by the U.S. government, the Working Party challenged the United States and EU to produce by 31 January 2016, a new data transfer framework with “stronger guarantees” of EU residents’ “fundamental rights” to data privacy, as well as “redress mechanisms” for violations.
In the meantime, the Working Party affirmed that data transfers formerly validated by the Safe Harbor program are not legal. It also noted its intent to evaluate the validity of the two other key data EU-U.S. transfer pathways: Binding Corporate Rules (BCRs) and Standard Contractual Clauses.
What This Means for U.S. Businesses
While waiting for news of Safe Harbor: The Sequel, our Privacy and Data Protection Group continues to advise a business that relied on the Safe Harbor program to:
- Classify the data transferred from the EU to the United States (employee, consumer, business contacts, etc.).
- Determine which of the data transfers from the EU to the United States were formerly validated by Safe Harbor.
- Identify vendors that transfer EU personal data for the business and determine how those vendors validate their transfers (e.g., Did a vendor represent that it could make legitimate transfers via Safe Harbor, and, if so, what happens now?).
- Decide how best to address EU to U.S. personal data transfers under one of the other data transfer pathways based on data classification (e.g., Binding Corporate Rules for intra-company transfers; Standard Contractual Clauses for transfers to third parties that do not otherwise meet EU requirements; or consent of each EU data subject—an impractical option for high-volume transfers).