Alternatives to Invalidated Safe Harbour
Safe Harbour Invalidated
On October 6, 2015, the EU Court of Justice (ECJ) ruled that Safe Harbour framework no longer provides a legal basis for transferring personal data from the EU, as there are insufficient safeguards in the U.S. for personal data of EU citizens. Companies that have previously relied upon Safe Harbour have to find other solutions. The (relatively) good news is: it is unlikely that the European authorities will seek retroactive actions for data transferred through Safe Harbour before the ECJ ruling.
As of today, vibrant trade continues across the Atlantic. However, the ECJ ruling has created legal and practical uncertainties that need to be resolved. Transatlantic companies might want to address the practical effects of the ECJ decision while awaiting further guidance from regulators. Below are some legal alternatives to Safe Harbour.
Adopt model clauses approved by the European Commission. Unlike Safe Harbour, model clauses put limitations on sharing personal data and are open to potential legal action in the event of breach. Salesforce has issued a statement urging the European customers to update their agreements with a data processing addendum that inserts the model clauses. Dealing with this issue, Salesforce follows in the footsteps of Microsoft: its cloud services now come loaded with the model-clause defense.
Rules Adopt binding corporate rules (BCR). BCR are EU-approved internal rules adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection. It might be costly and time-consuming to develop and implement those, but the data transfer capacities would remain the same as under the Safe Harbour agreement.
Get European users to explicitly allow the company to transfer their data to U.S. servers. Yet in this case you have to consider what to do with users who are not willing to give consent. You may lose them as customers, or find a way to store their data within the EU.
Restructure Data Storage Architecture
Another option is to restructure data storage architecture to make sure that European data is stored in Europe. The ECJ decision does not require data localization within the EU, but eliminating personal data transfers could be a solution for some companies.
Share your thoughts about the prospects of Safe Harbor and transatlantic personal data transfer. We would love to hear your opinion on this issue: simply drop us a line to firstname.lastname@example.org.