Safe Harbor Dead: What U.S. Businesses Need to Know/Do Next

The decision of Europe’s top court yesterday to confirm that the ruling that the Europe Union(EU)/U.S. Safe Harbor scheme, Commission Decision 2000/520, was invalid has major implications for any businesses transferring data from the EU to the United States.

Many U.S. businesses set themselves up to try to rely on the Safe Harbor scheme to get around the EU law restriction prohibiting transfers to countries that were not deemed “adequate.” (The United States, much to American business’ irritation, is deemed inadequate under EU law for this purpose.)

Various concerns built up the pressure which ultimately led to yesterday’s ruling. They included concerns over how U.S. tech giants such as Google, Facebook and others were using, moving and sharing data, combined with the Snowden leaks; concerns over how authorities in other countries could access EU citizens’ data; and growing concern by the data enforcers in the major EU countries over a perception that U.S. companies were ignoring legal obligations under EU law even if doing business in Europe and/or claiming to follow the Safe Harbor scheme requirements.

Additional Source:  With Safe Harbor now “Invalid,” Companies Must Change Data Practices