EU judges overturn “Safe Harbor” agreement
It has now actually happened! As we already predicted last week (article of 30 September 2015), the Court of Justice of the European Union (CJEU) has followed the recommendation of its Advocate General and declared the Safe Harbor agreement between the EU and the USA invalid. This means that with immediate effect transfers of personal data from Europe to companies in the USA can no longer be justified by Safe Harbor. This judgment will not just affect Facebook, but thousands of other companies as well. From one moment to the next, the basis they have used up to now for sending personal data to service providers and other companies in the USA has been pulled from under their feet. This also applies to the exchange of data between European and US group companies.
Companies who up to now have based their transfers of data on the Safe Harbor certification of the relevant companies in the USA will have to react immediately or otherwise be faced by civil, administrative or even criminal sanctions. The frequently used EU standard contract clauses already employed today primarily come into consideration as a replacement for Safe Harbor. Another possibility would be what are known as “ad-hoc agreements” (although these would have to be approved by the data protection authorities). Alternatively, binding corporate rules could be used especially for the exchange of data within company groups.