On October 6th, the European Court of Justice declared the US – EU Safe Harbor Framework invalid on several grounds which may create complications with cross Atlantic transfers of personal information. As a brief overview, the ECJ found that while the Safe Harbor framework did meet requirements in holding US companies accountable for the privacy of personal data transmission, it could not ensure or protect the privacy rights of EU citizens from public US institutions.
The Max Schrems Complaint
The Schrems case came about when an Austrian law student brought concerns to the ECJ that his private Facebook data, in transfer from Ireland to the United States, did not comply with EU privacy rights. Schrems claimed that Public US institutions (such as the NSA) frequently mined data from US companies without oversight essentially violating his right to privacy as a citizen of the EU. After reviewing Schrems complaint, the ECJ came to the same conclusion and ruled the self certified approach invalid.
Impact and Solutions
If your company transfers employee data from the EU to the US and used Safe Harbor to self certify, your company is no longer in compliance with EU regulations. However… don’t panic! Keep calm and consider implementing Model Contract Clauses or MCCs. There are 3 sets of model contract clauses provided by the EU to help corporations comply with EU privacy laws. Whether some or all clauses should be implemented at your organization depends on how your organization handles private information. For your convenience we’ve added the links to the 3 standard clauses recommended by the European Commission:
- EU controller to Non-EU controller Set 1
- EU controller to Non-EU controller Set 2
- EU controller to Non-EU processor
Depending on your organization’s international structure, you may also consider implementing “Binding Corporate Rules” which according to the European Commission are:
“internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.”
Final Thoughts and Necessary Disclaimer
While the information we’ve provided is accurate and sourced from the European Commission, we advise all organizations to consult with their legal team and/or representatives before taking any action. This article is intended to provide a leg up on the history and research currently available on the topic consolidated into a single article and should be used for informational purposes only.