Urgent Need to Consider Alternative Compliance Mechanisms
On Oct. 6, 2015, the European Court of Justice (CJEU) released its final judgment on the closely-watched U.S.-EU Safe Harbor (Safe Harbor) case, ruling that national Data Protection Authorities (DPAs) in the European Union (EU) retain the right to investigate complaints relating to the Safe Harbor and declaring that the Safe Harbor itself is invalid. This important decision will have a significant impact on the large number of companies currently relying on the Safe Harbor to comply with EU law regarding their EU-to-United States (U.S.) data transfers.
The EU has very high standards for privacy and data protection, and the transfer of data from the EU to another jurisdiction is permitted only if the receiving jurisdiction has “adequate” data privacy laws in the eyes of EU authorities. Among the countries that are deemed by the EU not to have adequate data protection laws is the U.S. Given the need of many multi-national businesses to transfer data from the EU to the U.S., in 2000, the European Commission endorsed the Safe Harbor regime, a relatively streamlined and cost-effective means for companies to voluntarily commit to a certain level of data protection in order to legally transfer personal data from the EU to the U.S.