Thousands of companies currently transfer personal data from the European Union to the United States, relying on the U.S.-EU Safe Harbor agreement to do so.
On Oct. 6, 2015, the EU’s highest court struck down this agreement on the grounds that it infringes European citizens’ fundamental right of privacy because it gives U.S. governmental authorities open access to online information and personal data.
This decision is important because it will require company owners and executives to evaluate and fundamentally change how personal data transfer and privacy compliance are handled.
Please contact Gunster attorneys Stacie Townsend, David Bates or Bob White with any questions about how this may affect your business.
* * * *
Why it's problematic
The U.S.-EU Safe Harbor agreement allowed companies to transfer personal data from the EU to the U.S. by complying with a single set of rules for both jurisdictions.
The court’s ruling creates significant problems for companies because each EU member can now create its own rules and regulations. Compliance with multiple international regulatory frameworks will be very costly and burdensome.
This ruling will affect more than just technology companies. It will affect any company transferring personal data across the Atlantic, which could include payroll, human resources and/or customer information.
What's next
The EU and the U.S. are in the process of negotiating a new Safe Harbor agreement that will comply with the court’s ruling.
Until then, however, large and small companies alike will need to find an alternative mechanism to transfer personal data from the EU to the U.S.
For instance, as Commissioner Vera Jourová of the European Commission noted after the court’s ruling was announced, "standard data protection clauses in contracts” and “binding corporate rules for transfers within a corporate group” may be alternatives to the now-invalid Safe Harbor agreement. These alternative mechanisms and other compliance methods will need to be further developed and refined.
Businesses are sure to face increased compliance requirements and related costs as a result of these changes.
Company owners and executives are encouraged to take action now to identify how these changes affect their ability to transfer data across the Atlantic, research alternative mechanisms appropriate for their businesses, and implement alternative mechanisms to ensure compliance with the EU’s privacy and data protection laws.