"In early October 2015, a key agreement that allows the transfer of European residents’ personal data from the European Economic Area (EEA) to the U.S. called ‘Safe Harbour’ was deemed invalid by Europe’s top court. The European Court of Justice (ECJ) made the landmark ruling on the agreement which has been in place since 2000.
The court concluded that the agreement did not provide adequate protection for personal data in the context of access by intelligence agencies, an issue brought to light by former National Security Agency (NSA) contractor Edward Snowden, and Austrian student Max Schrems, who filed a complaint against Facebook to the Irish data protection authority after Snowden’s publications in 2013.
What Happens Now?
Companies need to find another mechanism to legally “export” (or grant access to) personal data outside the EEA. The various options are discussed below. In addition, the ECJ confirmed that national data protection authorities have the authority to examine whether transfers of personal data to a third country meet the requirements of the EU data protection legislation.
Different countries and organisations have had a wide range of reactions to the ruling. Some data protection authorities (DPAs) have suggested a ban on most U.S. transfers, others have reached out to companies that have relied on the Safe Harbour, reminding them to implement a compliant solution, while the UK is telling its businesses not to panic.
The so-called Article 29 working party (which represents all EU data protection authorities) set a deadline of the end of January 2016 to implement a compliant alternative to Safe Harbour. While work on ‘Safe Harbour 2’ continues, most DPAs have stated that transfers to the U.S. should be treated in the same way as transfers to most other major economies outside of the EEA, and legitimised using one of the other transfer options available."