E.U. Court Invalidates “Safe Harbor” Program: Companies Scramble for Plan B
The Court of Justice of the European Union effectively invalidated the E.U. – U.S. “Safe Harbor” program in a decision released on Tuesday. The Safe Harbor program permitted registered businesses to transfer personal information about E.U. residents to the U.S. without violating various European data privacy laws.
Click here to read the decision itself.
Click here to read a summary in The Wall Street Journal.
For the moment, most privacy professionals are waiting to see how the dust settles, as government regulators discuss a potential replacement safe harbor agreement. The decision itself does not appear to prohibit E.U. – U.S. data transfers, but rather removes the protections of the Safe Harbor, and thus the Data Protection Authorities (DPAs) of a given country could take action against an international data transfer that otherwise would violate national or local law.
Companies previously registered under the Safe Harbor may want to begin working on a Plan B, such as establishing certain inter-company agreements, as directed under E.U. law, to permit the transfer of personal information without Safe Harbor certification.
We will provide updates on this topic on our Alerts page.
If your business is registered with the Safe Harbor program and you would like to discuss your particular risks and mitigation options, please contact any member of Fredrikson’s Data Protection and Cybersecurity Team, including Steve Helland.