On 6 October 2015 the European Court of Justice ruled that the US-EU ‘Safe Harbor’, the agreement that for years businesses have relied on to transfer their customers’ personal data back and forth across the Atlantic, is invalid with immediate effect.
This has profound implications for the many thousands of businesses that send personal data to the US or import personal data from Europe. These will now have to urgently find alternative means to comply with the Data Protection Directive, (which requires organisations that collect personal data relating to EU citizens to retain such data within the EEA unless it is being transferred to a jurisdiction which ensures ‘adequate’ protection for such personal data).
This means those businesses affected should ask their lawyers to review existing contracts under which such transfers are made, to establish if there are adequate and suitable clauses in them which can be relied on in place of ‘Safe Harbor’. If not, these contracts should be renegotiated.
One rapidly developing area that may now face difficulties is cloud computing. Any business operating on this basis should check to see if the servers used by the cloud provider are outside the EEA. If they are and the transfers of their clients’ data outside Europe rely exclusively on ‘Safe Harbor’, those businesses are likely to be in breach of the Data Protection Directive, (enacted in the UK as the Data Protection Act 1998).
The Atlantic just got a lot wider and deeper.