EU-US Safe Harbor invalidated. What’s next?
The European Court of Justice has ruled that the “Safe Harbor” agreement that allowed the transfer of European citizens’ personal data to the U.S. is no longer valid.
Under a decision of the European Court of Justice of October 6th, 2015 (Case C-362/14), the administrative ade-quacy mechanism named "Safe Harbor" which had been admitted between the European Commission and the Department of Commerce of the United States (Decision 2000/520 / EC of 26 July 2000) 15 years ago, allowing the legal transfer of European citizens personal data to the member companies has been declared invalid.
Consequently, it is no longer possible to achieve the transfer of personal data between the EU and the United States based on the Safe Harbor as single administrative instrument for adequacy to guarantee an adequate level of protection in line with EU rules, which currently impacts more than 4,500 member companies in the U.S.
Therefore, to operate the transfer of personal data to the U.S from the EU, the person or company located in the EU must now mandatorily comply with one of the following two ways: (a) either entering into contractual provisions meeting EU standards for the protection of personal data, (b) either adopting binding corporate rules (BCR) that meet EU standards for protection of personal data.
In continuation thereof, negotiations on a new legal instrument are under way to seek an interim solution and data protection authorities from EU member states are currently in progress to review the legal and operational consequences of that judgment and to clarify the impact of the judgment on businesses as well as to issue further guidance for businesses.
At the same time, discussions are also in progress between the European Commission, the European Parliament and the Council of the EU on the proposal of General Data Protection EU Regulation (GDPR). The three European institutions have agreed upon a roadmap for finalization of the reform by the end of 2015 and publication of the new EU Regulations at the beginning of year 2016 to replace the EU current data protection directive in force since 1995.
These new EU rules will notably apply to overseas IT providers hosting personal data of EU residents, even if the IT provider’s clients are not themselves established in the EU.
In other words, these new EU Regulations will be applied on a worldwide level to all non-European companies that process the personal data of EU citizens including US companies involved in the disappearance of the Safe Harbor.
Urgent action for them is needed to achieve compliance with the new rules without delay, as fines imposed for a breach of the new EU Regulations may amount up to EUR 1 million or 2% of the annual worldwide turnover of a company.
October 12th, 2015