European Court of Justice Judgment Finds U.S.-EU Safe Harbor Framework Inadequate for Protecting Data
On October 6, 2015, the European Court of Justice invalidated the European Commission's prior finding that the U.S.-EU Safe Harbor Framework was an adequate means for protecting data transfers between the European Union and the United States. For thousands of United States companies that self-certified as complying with the Safe Harbor, and European companies with whom they do business, this raises significant questions about whether they are in compliance with the various laws of the EU countries.
What to do? There are a variety of options. Deciding how to respond will depend upon the unique circumstances of the company, the data that it transfers, and the EU countries from which the company collects data. A good Safe Harbor program can serve as a starting point for developing a more robust privacy program that complies with the specific EU-country laws. Companies might consider executing, implementing, and carefully following standard contractual clauses issued by the European Commission. Large multinational companies might consider adopting binding corporate rules to internally regulate data transfers within a corporate group. Companies should also consider whether any derogations apply (e.g., unambiguous consent by the data subject).
Although the ECJ's ruling poses a new challenge to United States companies, it is not insurmountable. Companies seeking to update their privacy policies or confirm compliance should consult with foreign and domestic privacy lawyers of their choice.