The European Court ruled today that one of the most common mechanisms which European companies use to transfer personal data to the U.S. for processing is no longer the fool proof answer that it was once thought to be.
The safe harbour agreement allowed U.S. companies to self-certify that their systems met certain minimum criteria for the protection of personal data. These minimum criteria were designed to provide a comparable level of protection to that provided under EU Law. However, the European Court has held that the safe harbour agreement is invalid and so the safe harbour provisions cannot continue to apply.
The European Commission has promised to review and renegotiate the safe harbour provisions, but whilst this is pending it is the national data protection authorities and individual companies that must now take action to ensure they comply with data protection principles.
When sending data to the U.S., companies should be reviewing their contracts to see whether it is necessary to add appropriate data protection clauses and amend any existing contracts if necessary. For those companies reliant on data transfers to the U.S. this should be addressed as soon as practicably possible to limit the risk of data protection offences for transfer of personal data.
We have already been working with the American authorities to make data transfers safer for European citizens.
In the light of the ruling, we will continue this work towards a renewed and safe framework for the transfer of personal data across the Atlantic.
In the meantime, transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under EU data protection law.