What should my business do now?
The EU and the US may replace Safe Harbor, but this is unlikely to happen quickly.
In the interim, EU-US data transfers can continue, but businesses should take steps to manage their data protection risk.
Right now, you should:
- assess whether your organisation currently uses Safe Harbor as a legal basis for EU-US data transfers, including for customer and internal data (e.g. employee data). As well as data transfers in the ordinary course of business, it’s worth looking at arrangements on acquisitions;
- review whether your suppliers use Safe Harbor. In particular, many enterprise cloud computing services rely on Safe Harbor for lawful data transfers to servers in the US (e.g. email, hosting, payroll, ERP and CRM systems, as well as cloud-based storage and compute services);
- identify the best alternative legal basis for your EU-US data transfers. In the short term, most organisations will need to put contractual arrangements in place (e.g. the EU model clauses). It might also be worth considering longer-term solutions for intra-group data transfers, such as binding corporate rules;
- be prepared for national DPAs to scrutinise your data transfers. The judgment doesn’t affect the validity of other legal bases for international data transfers, but it affirms that DPAs can investigate
- complaints on a case-by-case basis. Expect DPAs to focus on the substance rather than the legal form of safeguards; and consider how your business can prove it protects any data sent outside the EEA.
The FOLLOWING briefing explains the background and implications of the ECJ decision. Note that the ECJ’s decision does not pose a direct threat to a significant proportion of transatlantic data flows, including in the context of investigations but:
- it is still important to consider whether a data transfer to the US complies with data privacy (and other) laws;
- safe harbor isn’t typically relied on for those transfers, and other potential gateways for lawful data transfers remain available, including the EU model clauses and other legal exemptions; and
- European companies might be indirectly affected if they use suppliers that rely on safe harbor to send personal data to the US (although US data storage providers and processors are likely to change their processes in response to the decision).
This briefing is available; http://bit.ly/1MpHtD4