Last year, the European Court of Justice issued a judgment invalidating the safe harbor framework for US-EU data sharing, creating uncertainty and a number of questions about what is, and is not, permissible when sharing data involving personal information across borders. The Safe Harbor decision has clear implications for our pharmaceutical and medical device clients, and we’ve covered the issue often, starting with the European Court of Justice’s judgment in Maximillian Schrems v. Data Protection Commissioner (C-362-14), which we discussed here.
As key deadlines and decisions relating to the EU-U.S. Safe Harbor framework loom, there have been several recent developments that may be of interest to businesses operating in the European Union and United States.
Reed Smith’s Client Alert “If Safe Harbor is dead in the water, what does that mean for you?” written by Cynthia O’Donoghue, Daniel Kadar, Kate Brimsted, Dr. Thomas Fischl, Philip Thomas, Katalina Bateman, Doretta Frangaki, Caroline Gouraud, Chantelle A. Taylor, Tom C. Evans, Dr. Alexander Hardinghaus, LL.M., and Dr. Alin Seegel discusses the steps your company might need to be taking now, as well as the state of “Safe Harbor 2.0” negotiations.
We’re revisiting the issue because January 31, 2016, is right around the corner. This date marks the announced deadline for a new data-sharing agreement between the European Union and the United States, as well as the coinciding deadline set by EU data protection authorities for companies previously Safe Harbor-certified to have other data transfer mechanisms in place. As it looks less and less likely that political negotiations will come to a successful conclusion by the end of the month, and as it would take time for companies to become certified under a new Safe Harbor regime regardless, businesses need to implement interim measures to minimize risks.
For companies that were themselves Safe Harbor-certified, this means finding new ways to legitimize data transfers between group companies. Cynthia O’Donoghue et al. discussed this topic, and some options available to businesses , in a previous Reed Smith Client alert. For companies that use suppliers that were previously Safe Harbor-certified, this means both finding new ways to legitimize data transfers to those suppliers and ensuring that suppliers are handling any onward transfer of this data in compliance with the law.