Since October 6, 2015, when the Court of Justice of the European Union (CJEU) issued a decision invalidating the US-EU Data Protection Safe Harbor Framework as it is currently formulated, there has been deep concern about the continued viability of transfers of personal data from the European Union to the United States. The CJEU decision (see Batten Down The Hatches: The US-EU Data Protection Safe Harbor Framework Invalidated (Oct. 7, 2015), available here) casts doubt on the authority of the EU Commission, which officially approved the Safe Harbor Framework in 2000, to determine on a pan-EU basis whether such a framework affords the level of data protection required by the European Parliament's directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

On November 6, a month  after the CJEU issued its decision, the EU Commission issued guidance on permissible means to transfer personal data from the EU to the United States. In its guidance, the EU Commission provides several alternatives to the Safe Harbor Framework as a legal basis for trans-Atlantic data transfers, such as model contractual clauses and binding corporate rules (BCRs) (while questioning the viability of these options in light of the Working Party's concerns over US government surveillance). For further information and analysis, see Arnold & Porter's most recent client advisory on this issue here.