On November 6, 2015, the European Commission (“EC”) released guidanceon transatlantic data transfers in light of the ruling by the European Court of Justice (“ECJ”) last month invalidating the Safe Harbor framework that had streamlined the transfer of personal data from Europe to the United States since 2000. The EC released guidance to provide an overview of alternative mechanisms for data transfers from the European Union (“EU”) to the U.S. in light of the ECJ decision. The EC also announced in a press release that it expects to conclude its negotiations with the U.S. within the next three months.
Since the Safe Harbor framework can no longer serve as a legal basis for data transfers from the EU to the U.S., the EC highlighted other mechanisms for the transfer of data. The EC’s guidance did not provide new solutions as these alternative mechanisms already existed and were always incomplete substitutes for the framework.
The first option is for companies to use model contractual clauses approved by the EC. These clauses can be complex and difficult to administer, although they may be a viable interim solution for companies that do not have a complex structure.
The second option is for companies to use Binding Corporate Rules (“BCR”s), which are internal policies adopted by multinational organizations and formally approved by European Data Protection Authorities. BCRs arguably provide a longer-term solution for businesses operating globally, but they can be time consuming to implement and may only be a viable interim solution for those companies that are further along in the BCR approval process or have BCRs already in place.
Companies may also rely on derogations under the EU Data Protection Directive 95/46/EC, which permit data transfers under certain circumstances, including informed consent to a transfer or transfers required for performance of a contract. It remains doubtful that derogations could serve as a complete substitute for the Safe Harbor framework, because EU courts strictly construe derogations, and they are meant for use as a fallback option and not for mass or repeated transfers.