compliance & Risk

Invalidity of EU-US Safe Harbor: Practical Implications Part 1

The ruling by the Court of Justice of the European Union, which determined the EU-US Safe Harbor to be invalid has vast repercussions for many organisations and in particular US technology companies that have relied on Safe Harbor essentially to side-track more stringent EU data protection laws and regulations.

This two-part series of articles provides an overview of the Safe Harbor decision, as well as practical advice on the way forward for businesses to transfer data in compliance with the EU’s approach
to data protection and privacy. In Part 1, we look at the background to and the main features of Safe Harbor, and explain why, and how, its provisions have become obsolete.

This part of the article also highlights the main implications of the invalidity of Safe Harbor, with practical suggestions as to how organisations can lawfully continue data transfers.

In Part 2, we will consider the main characteristics of the replacement option to Safe Harbor, the EU-US Privacy Shield.

Page 1 of the Article…

Invalidity of EU-US Safe Harbor -Practical Implications

The recent ruling by the Court of Justice of the European Union (“CEJU”), which determined the EU-US Safe Harbor agreement (“Safe Harbor”), as invalid has vast repercussions for many organisations and in particular US technology companies who relied on the Safe Harbor essentially  to side-track the stringent EU data protection laws and regulations. The purpose of this article is to provide a complete overview of Safe Harbor decision in the hope that businesses can find a practical way to comply with the EU’s approach to data protection and privacy.

European Union approach to Data Protection

The EU Data Protection Directive 95/46/EC (“Directive”), applies to countries of the European Economic Area (“EEA”), (which includes all EU countries and in addition, non-EU countries Iceland, Liechtenstein and Norway). Based on the Directive the European Commission “EC” have ruled the following jurisdictions as having adequate safeguards in place which match the requirements of the Directive. This is significant as it allows for a more efficient transfer of personal data to and from these jurisdictions to other EEA member states. The following states are deemed as having adequate safeguards in place in relation to the Directive:

Andorra                   Isle of Man                   Uruguay
            Argentina                   Israel  
            Canada                   Jersey  
            Faroe Islands                   New Zealand  
            Guernsey                   Switzerland  

 

The Directive aimed to safeguard data protection and privacy rights of EU citizens as valuable inherent human rights of all of EU citizens. The commercial implication of this Directive was such as to assist the free flow of personal data between EEA member states and its approved jurisdictions. However, the flow of personal data between EEA member states and third party countries was made more difficult with additional legal requirements needed to be met before any third party country transfer was to be deemed as having “adequate” protection to data subjects. This often resulted in delay of transfers taken place until companies were comfortable that they had implemented certain legal and regulatory requirements before the transfer took place. However, exceptions (or “derogations under Article 29”) to this rule could be applicable…

To read more of this artcile please access the following website: http://www.pdp.ie/journals/compliance-and-risk-back-issues

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *