Earlier this year I discussed data privacy essentials for in-house counsel (click here to read). The post discussed a number of basic data privacy issues, including the 2000 U.S.-EU Safe Harbor Agreement. The agreement allows U.S. companies that register and agree to its terms to legally transfer personal data from the EU into the U.S. The agreement was necessary because the European Commission (the “Commission”) determined that the U.S. did not have “adequate” data protection laws and, therefore, without such an agreement the ability to transfer personal data out of the EU and into the U.S. was limited due to provisions of Article 25(6) of the 1995 Data Protection Directive. The Safe Harbor Agreement remedied the problem by creating a mechanism under which U.S. companies could agree to apply core EU data protection principles to personal data and subject themselves to regulatory oversight by the Federal Trade Commission or the Department of Transportation.
Last week (October 6, 2015) the European Court of Justice invalidated the Safe Harbor Agreement. The court found that the agreement did not provide “essentially equivalent” data protection to EU citizens (primarily because of the then unfettered access to personal data by U.S. intelligence agencies under the PRISM program). The court also held that local Data Protection Authorities (DPAs) are empowered to independently assess whether a non-EU country provides adequate protection regardless of whether the Commission has already made such a determination that it does.
The result is a big mess regarding how companies that relied on the Safe Harbor Agreement can legally transfer personal data out of the EU and into the U.S. and how things will work in the future if DPAs can override a Commission decision on the adequacy of data protection in non-EU countries. This edition of Ten Things discusses some practical things U.S. companies should do next in light of last week’s development.