What was Safe Harbour?
The Safe Harbour Framework was a cross border transfer mechanism which complied with EU data protection laws and allowed the transfer of personal data between the EU and the USA. More details on how Safe Harbour worked can be found here.
Why was the Safe Harbour Framework invalidated?
After the recent Facebook case ruling, on 6th October, the Court of Justice of the European Union (CJEU) judged that “US Companies do not afford an adequate level of protection of personal data” and therefore the Safe Harbour Framework is now invalid.
The CJEU indicated that US legislation authorises on a general basis, storage of all personal data of all the persons whose data is transferred from the EU to the U.S. without any differentiation, limitation or exception being made in light of the objectives pursued, and without providing an objective criterion for determining limits to the access and use of this data by public authorities.
The CJEU further observed that the Safe Harbour Framework does not provide sufficient legal remedies to allow individuals to access their personal data and to obtain rectification or erasure of such data. This compromises the fundamental right to effective judicial protection, according to the CJEU. You can read the European Court of Justice Press Release here.
There have been concerns about the Safe Harbour Framework for some time and the European Commission and the US authorities have been negotiating with a view to introducing an arrangement providing greater protection of privacy to replace the existing agreement.
How can I now transfer my data to US?
Organisations that have been using Safe Harbour will now have to review how they transfer personal data to the US and come up with alternative solutions. However, it is worth noting that the Information Commissioner’s Office has recognised that this process will take some time. And James Milligan at the DMA states that data already transferred to US-based companies under Safe Harbour will be unaffected.
In the meantime multi-national companies transferring data to their affiliates can look at using Binding Corporate Rules which allow the transfer of data from the EEA to be in compliance with the 8th data protection principle.
Another legal method of transferring personal data to the US is to use the Model Contract Clauses produced by the EU for transfers of personal information outside the EU.