Fresh Data Blog
Fresh Data Archive
Update on EU Safe Harbor Invalidation
Date: October, 2015 --
Update on EU Safe Harbor Invalidation
You may have become aware of a recent decision by the European Court of Justice declaring that the US Safe Harbor program is not sufficient to assure legal protection for European data transported to the US. While the main precipitator of this invalidation concerns the security of EU personal data, in light of the Snowden revelations, held by companies such as Google and Facebook, we thought it important to communicate to our readership, and especially those of you working with EU data, what this ruling actually means and how, if at all, it should affect your business.
Cross-Atlantic Data Transfer is Still Legal
First, and most critically, the decision does not require that companies immediately cease transfers of EU personal data to the United States, nor does it hold that either sender or receiver is violating the law. The decision does reaffirm something that was implicit in the Safe Harbor system in any case, which is that national regulators in Europe have authority to suspend transfers of data to the US if they believe that protection provided is not sufficient. It is important to note that the guidance we’ve received to date underscores that simply using a US Data Processor for EU data is not in itself insufficient protection.
We understand very clearly that the decision does not say that any American recipient or processor of European data was treating that data in a manner that endangered that data or violated any person’s rights or the law. It does not say that such transfers must stop. It only authorizes national data protection authorities to investigate transfers now in process.
In short, the court said only that the Safe Harbor program was not sufficient under European law to prevent that violation. We disagree with that decision. And so do many companies in both Europe and the United States who entrust their data to us.
Special Note On Switzerland Safe Harbor
An important exemption to the effects of this ruling involves Swiss data. Switzerland, as a country that never entered the European Economic Area (EEA), has for some time had its own separate Safe Harbor certification. This certification is still valid and was not in any way affected by the EU Safe Harbor invalidation ruling.
As you know, Data Services, Inc. is committed to high standards of security regarding all of its operations and the data it is entrusted with, regardless of its source. Copies of our Security Statement are available upon request and our Privacy Policies are available on the Data Services, Inc. website.
Over the next days and weeks, we will be closely keeping tabs on the ongoing negotiations of the US Government as well as organizations such as international DMAs, FEDMA and their related legal advisors as they work diligently toward a resolution to the vacuum left in the wake of the European Court of Justice ruling.
Many of us saw this coming given the age and declining relevance of the original Safe Harbor agreement, and the united hope is that this will only serve to speed the process, which has already been taking place over the last two years, of incorporating a new “Safe Harbor 2.0” agreement.
Note on Model Contract Clauses
From the European Commission Website:
“The Council and the European Parliament have given the European Commission the power to decide, on the basis of Article 26 (4) of directive 95/46/EC that certain standard contractual clauses offer sufficient safeguards as required by Article 26 (2), that is, they provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights.
The European Commission has so far issued two sets of standard contractual clauses for transfers from data controllers to data controllers established outside the EU/EEA and one set for the transfer to processors established outside the EU/EEA.”
Data Services, Inc. has worked diligently with our legal representatives and is at the ready with updated contracts which include Model Contract Clauses for those clients who would like the additional peace of mind when transferring their EU data to Data Services as a US-based Data Processor.
While nothing need change in our business relationship due to the recent ruling, we encourage you to contact Your Data Services, Inc. representative for additional information on any of the topics addressed in this article. More updates are sure to follow as this is an important and evolving issue. Please also note that this article is not meant to serve as legal advice.
UK DMA - Guidance to Members on the European Court of Justice Safe Harbour Decision
US DMA - Response to European Court of Justice Safe Harbor Ruling
European Commission - Model Contracts for the transfer of personal data to third countries