Now that the US-EU Safe Harbor has been invalidated by the European Court of Justice (ECJ) in Schrems v. Data Protection Commissioner, the Safe Harbor no longer provides a legal basis for transfers of personal information from the EU to the US. The ECJ’s press release and the full text of the Schrems decision are available. This does not immediately affect the US-Switzerland Safe Harbor, but it may have implications for that scheme as well.
It is widely expected that data protection authorities in the EU will offer some grace period for companies that have relied on the Safe Harbor, but the authorities are unlikely to be overly generous. So companies need to begin moving quickly to put in place alternative bases for such transfers to avoid being out of compliance with European privacy laws.
These mechanisms can include obtaining unambiguous consent of the data subject, EU-approved model contract clauses (which do not require any regulatory consent), or binding corporate rules (which must be approved by at least one EU data protection authority).
The US and EU have been negotiating over changes to the Safe Harbor, and these negotiations had made progress before the ECJ decision. But the complexities introduced by the decision make it unlikely that a “Safe Harbor 2.0” will be agreed upon quickly. What’s more, any such agreement will be subject to challenge in every EU member state, promising years of uncertainty. So companies should not wait for a new Safe Harbor to be put in place, but should determine which of the alternative bases for EU-to-US data transfers fits their business the best, and move expeditiously to implement the necessary contracts, rules, and procedures.