Safe Harbor No More: EU Data-Transfer Ruling Impacts US Companies

A ruling Tuesday by the European Court of Justice (ECJ) that invalidates the US-EU “safe harbor” data transfer agreement could have significant repercussions for businesses that transfer personal data from the EU to the US.

The agreement, in place since 2000, aimed to safeguard European citizens’ data privacy, per the EU’s Data Protection Directive. Participating US-based companies — around 4,500 — agreed to follow a set of rules for handling personal information from the EU, and in return received automatic approval for data transfers from the EU to the U.S.

The ECJ said that many participating companies were not complying with safe harbor principles, and it raised the issue of “indiscriminate surveillance” by US government agencies.

Risk Management Implications

The ECJ’s decision raises a number of questions. Any US-based company that collects personal data of EU customers may no longer be able to transfer it to servers in the US under safe harbor.  The ruling could even affect a company’s ability to transfer payroll and other data of EU employees to US systems, if it is relying solely on safe harbor.

Since they can no longer rely on safe harbor, any company that continues to transfer personal data from the EU to the US will be in violation of EU privacy law, unless it has an alternative legal basis to legitimize the transfer. Some companies had previously entered into alternative arrangements that may allow them to continue their data transfers.

Next Steps

Organizations that previously moved personal data from the EU under the safe harbor should review — with counsel —their compliance processes and policies and consider alternatives to meeting the EU’s data transfer requirements. Companies that don't move data from the EU but relied on a service provider that may have been doing so should review what the provider is doing to address the invalidation of safe harbor and consider next steps.  

You can view a list of safe harbor participants here, though it’s important to note that a company is not necessarily noncompliant simply because it is on the list.

Depending on policy language, the fact that an organization’s data handling practices may no longer be in compliance with EU regulations could create an event triggering cyber insurance coverage. Companies that were moving data under safe harbor should work with their insurance advisors to review policy language and determine if insurer notification is required.

Technology errors and omissions (E&O) coverage may also apply, but these polices are generally only triggered by direct demands. If your organization receives a claim from a customer that was previously using safe harbor, you should immediately notify your insurer.

We expect more clarity to emerge in coming weeks as regulators make their views known. For more information, read law firm Norton Rose Fulbright’s compliance alert on the ECJ ruling.