On October 6th, the European Court of Justice declared the US – EU Safe Harbor Framework invalid on several grounds which may create complications with cross Atlantic transfers of personal information. As a brief overview, the ECJ found that while the Safe Harbor framework did meet requirements in holding US companies accountable for the privacy of personal data transmission, it could not ensure or protect the privacy rights of EU citizens from public US institutions.

server-room

“The ECJ found Safe Harbor Framework insufficient in privacy protections.”
What was the EU SafeHarbor Framework?

Up until October 6th EU Safe Harbor provided U.S. companies the ability to transfer personal data from the EU to the US while complying with privacy rights provided to European Citizens under the EU Data Protection Directive. Companies would “self-certify” or confirm that they met the EU’s minimum requirements for data protection with the Department of Commerce and provide a public copy of their company’s privacy policy (accessible on company websites). The Federal Trade Commission acted as the enforcement arm of the agreement, investigating complaints and ensuring that companies kept the promises made during self certification.

The Max Schrems Complaint
The Schrems case came about when an Austrian law student brought concerns to the ECJ that his private Facebook data, in transfer from Ireland to the United States, did not comply with EU privacy rights. Schrems claimed that Public US institutions (such as the NSA) frequently mined data from US companies without oversight essentially violating his right to privacy as a citizen of the EU. After reviewing Schrems complaint, the ECJ came to the same conclusion and ruled the self certified approach invalid.

Impact and Solutions
If your company transfers employee data from the EU to the US and used Safe Harbor to self certify, your company is no longer in compliance with EU regulations. However… don’t panic! Keep calm and consider implementing Model Contract Clauses or MCCs. There are 3 sets of model contract clauses provided by the EU to help corporations comply with EU privacy laws. Whether some or all clauses should be implemented at your organization depends on how your organization handles private information. For your convenience we’ve added the links to the 3 standard clauses recommended by the European Commission:

  1. EU controller to Non-EU controller Set 1
  2. EU controller to Non-EU controller Set 2
  3. EU controller to Non-EU processor

Depending on your organization’s international structure, you may also consider implementing “Binding Corporate Rules” which according to the European Commission are:

“internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.

Final Thoughts and Necessary Disclaimer
While the information we’ve provided is accurate and sourced from the European Commission, we advise all organizations to consult with their legal team and/or representatives before taking any action. This article is intended to provide a leg up on the history and research currently available on the topic consolidated into a single article and should be used for informational purposes only.

Brought to you by Global Mobility Solutions, a trusted partner in global talent management.