EU-US Safe Harbor Framework Invalidated
On October 6, 2015, the European Court of Justice invalidated the EU-US Safe Harbor Framework that was used by many businesses to transfer personal data from the EU to the US. See Case C-362/14 opinion. This decision had been expected given the European Court of Justice's Advocate General Yves Bot's conclusion that the September 23rd opinion. See Case C-362/14 opinion. The Safe Harbor Framework was put into place because EU data protection law prohibits the transfer of personal data to any country outside of the European Economic Area unless "adequate" protection is in place. The Safe Harbor Framework allowed US businesses to transfer personal data from the EU to the US provided that a US business agreed to certain data protection principles regarding the usage, disclosure, and protection of personal data broadly based on the EU model. See European Commission Decision 2000/520. Now that the Safe Harbor has been invalidated, US businesses need to look at alternative methods to ensure that data can be transferred, such as (1) express consent by a user, (2) use of EU-approved model clauses to allow the data transfer (see European Commission Decision 2010/87/EU, Annex 1 dated February 5, 2010), or (3) binding corporate rules. Eventually, there may be another option as there are current discussions between the Department of Commerce and the European Commission concerning a revised Safe Harbor Agreement.
However, the validity of at least two of the alternative methods has been questioned. On October 14th, one of the German Data Protection Authorities (Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein) stated in a position paper that (1) a broad consent is invalid and that an effective informed consent must provide information about the purposes of the processing, the risks of the data processing, and the level of protection, and (2) parties using the second method "now need to consider terminating the underlying standard contract with the data importer in the United States or suspending data transfers." The underlying reasoning for the defect in the second method appears to be that U.S. laws do not provide sufficient protection to E.U. citizens data.
updated on 10/8, 10/16 (added new last paragraph, and cite to model clauses)