Safe Harbor exchange between EU and US data deemed invalid
The European Union’s highest court, the Court of Justice (CJEU), ruled on October 6, 2015 that the EU-US Safe Harbor Agreement is invalid, effective immediately. The agreement was a voluntary self-certification system that permitted over 4,000 eligible U.S. companies to receive the personal data of Europeans if they publicly agreed to treat the data according to the Safe Harbor Principles. After being deemed invalid, however, the agreement no longer provides a basis for transferring personal data from the EU to the U.S.
While data protection advocates praised the court’s decision, industry executives and trade groups claim that it left a lot of uncertainty for companies that rely on access to this data for lucrative businesses such as online advertising.
Another repercussion of this decision is that it could prove to be a regulatory nightmare for companies that may be required to comply with fragmented data protection rules across the EU’s 28 states. In the short term, U.S. companies that had relied on the agreement should search for alternative data transfer mechanisms to lawfully transfer EU personal data to the U.S. Those that do not discover an alternative mechanism to transfer EU personal data may have to store it locally within EU Member States.
The Court of Justice’s ruling has disrupted the legal framework for trans-Atlantic data flows. A political solution to preserve the ability to transfer personal information overseas is needed, but finding a solution that pleases both citizens and businesses may prove to be costly. U.S. companies should be cognizant of what the European Commission is doing with data transfers, and watch for the correct data protection authority rulings.
About the Author
Michael Talmanson is an Area Senior Vice President at Gallagher WGA in the Property and Casualty Group and area leader of the firm’s Technology and Cyber Risk Practice. He advises high technology, life sciences and financial services companies about insurance and risk management matters.