The Court of Justice of the European Union (ECJ) has now declared Safe Harbor invalid – in total. The ECJ has sent the case back to the Irish Data Protection Authority to determine whether Facebook Ireland's transfer of personal data to the US is permitted under EU data protection law, in light of Facebook's participation in the NSA's PRISM program and bereft of the shelter of Safe Harbor.
If your company relies exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, it will need to find another basis for the transfer as soon as possible. This is relevant to any US company that has employees in Europe and could impact how—and even if—HR personal data is transferred, accessed, processed from any EU employees to its US operations. It could also impact the utilization of HRIS cloud systems.
By way of background, the European Union's Data Protection Directive (1995) prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an adequate level of privacy protection. Soon after the Directive was passed, the European Commission determined that the US doesn't offer adequate levels of protection. In response, the EU and the US negotiated the Safe Harbor agreement in 2000 to allow US companies to self-certify that they provide protections that are equivalent to the requirements of the EU's Data Protection Directive. Currently, over 4,500 US companies rely on the EU-US Safe Harbor program to make their transfer of personal data from the EU to the US legal under European privacy laws.
Now, with the Court of Justice's opinion, companies that rely exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, will need to find another basis for the transfer as soon as possible. Our privacy lawyers will discuss these options and other Safe Harbor issues tomorrow October 7 during a webinar they are conducting on this decision. You can register here. It starts at 3:00pm EDT.
Our London-based colleague Susan Foster has background and a full overview of the most recent decision plus a look at what could be next on the chopping block. You can also subscribe to Privacy & Security Matters for more updates. The full decision is also available online in English here (other languages also available at curia.europa.eu by searching on C-362/14). A press release was also issued by the ECJ summarizing the decision.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.