U.S.-EU Safe Harbor Framework Relied on by Over 4,000 Companies No Longer Valid
This week, the Court of Justice of the EU (CJEU) ruled that the current U.S.-EU Safe Harbor Program is no longer a valid method for ensuring adequacy under EU Data Protection Directive 95/46/EC for international data transfers.
The U.S.-EU Safe Harbor had been in place since 2000, and more than 4,000 U.S. companies relied on the framework.
Many businesses are left wondering what to do until the Department of Commerce and the European Commission can finalize a new Safe Harbor framework.
International Data Transfer Options Companies Have Without Safe Harbor
Q: What is the anticipated timeline for enforcement?
A: “The ruling of the court is effective immediately. The general principles — that the court highlighted and therefore they became part of European Union law — they’re effective today.” – Andrea Glorioso
Q: From the view of small companies, would you advise letting Google, Amazon, and Facebook lead the way here?
A: “This is an issue for everyone, and while different resources can be expended against it based on your size and scope, that also typically represents the size and scope of the data that you might be transferring and the efforts it might take to think through these things, but it’s a dramatic enough change it has broad-reaching implications such that hoping it goes away and hoping that big people that have higher risk profiles with higher data being moved to get in trouble first…The ostrich plan is not a good one.” – Chris Babel
Q: Do you think version 2.0 is around the corner? If not, in what timeframe do you think that will be released?
A: “We have been discussing with America about a revised Safe Harbor, but whatever we come up with now, it will have to be compatible. It will have to respect the parameters that the European Court of Justice has given us with this ruling.
We cannot give you timing for that except to say that we certainly have a common interest in finding a new mechanism that is as efficient as Safe Harbor but at the same time respects European Union citizens’ rights in the way that the European Court of Justice told us.” – Andrea Glorioso