Safe Harbor: 5 Tips That Companies Need to Consider

  • Practical Guidelines for companies for dealing with the Safe Harbor verdict
  • eco calls for a quick and practical new regulation for data transfers to the USA
  • New eco Guidelines calls for balance between data protection and innovative commercial data processing

The case of the Safe Harbor agreement for the transfer of data between the EU and the USA, found invalid by the European Court of Justice on 6 October 2015, means considerable legal uncertainty for many companies, especially those making use of Cloud services. eco – Association of the Internet Industry recommends that all companies that  store data on US servers or regularly transfer data to the US should examine their business practices and adapt them if necessary. As a practical guide, eco suggests the five tips below for dealing with Safe Harbor. Further information can be found in the eco White Paper on the CJEU Safe Harbor Decision.

A practicable balance between barrier-free international data flow and the protection of personal data is accorded an extremely high value, as it forms the commercial basis of many European companies from all industry sectors. eco calls for the Commission to push for rapid agreement in the current negotiations towards a new Safe Harbor Agreement. If it turns out not to be possible to come to agreement quickly, the Commission, the Member States and the European Parliament will need to take the consequences of the CJEU verdict into account in the almost completed legislative process for the General Data Protection Regulation. eco recently published Guidelines defining the foundation principles, which, in the eyes of the Internet industry, should form the orientation for the General Data Protection Regulation, so that the regulation can become one of the supporting pillars in the realization of the Digital Single Market.

Five tips for companies for dealing with the Safe Harbor Agreement

  1. Check whether you are affected! Companies that transfer personal data to the USA or who allow an American service providers access to data stored in the European Union or the European Economic Area (e.g. through cooperation with US American service providers for the use of Cloud services) must ensure that this data processing is based on a secure legal foundation.
  2. Check what legal foundation you are using for your data Transfers! If you do undertake such data transfers, in a second step you should examine what the legal foundation has been for the data transfers up until now. If the examination reveals that you or your business partners have been basing data processing exclusively on Safe Harbor, you need to act. This is because, since the Safe Harbor verdict, data transfers on the basis of Safe Harbor are no longer legal.
  3. Examine whether you can base you data transfers on other legal foundations! Alongside the no longer valid Safe Harbor Agreement, there are other legal foundations which companies can use to support the transferal of data to the USA. The use of EU Standard Contractual Clauses (SCCs), informed permission and the Binding Corporate Rules (BCRs) are three alternatives. For most companies, the EU SCCs can be considered. However, in a changeover to SCCs, it must be taken into account that it is difficult to foresee to what extent the CJEU decision may also impact on these. The German Data Protection Authorities have already announced that they now question the legality of data transfers to the USA on the basis of other legal instruments for this purpose, such as the EU SCCs. This is also the case for the Binding Corporate Rules, another legal instrument used for the transfer of data, which are especially relevant for connected companies and corporations. The Data Protection Authorities in Germany have therefore already announced that they will not be granting any further permission for data transfers to the USA on the basis of BCRs or data export contracts.
    Permission from the customer for the transfer of personal data can, under certain conditions, be an acceptable foundation for the data transfer. In principle, however, the data transfer may not be repeated, routine or on a large scale on the basis of such consent. Permission also entails the disadvantage, from the perspective of legally certain business processes, that the customer can at any time withdraw this consent.
    What appears at first glance and from a legal perspective to be the simplest solution is the relocation of data processing for the present time. From a commercial perspective, however, this option is only sensible and practicable to a limited extent. However, if no new agreement is reached in the near future in the current negotiations between the EU Commission and the American Government,  companies should consider relocating data processing to the European Union or the European Economic Area. This is especially the case with regard to the unforeseeable impact of the CJEU decision on the validity of the EU Standard Contractual Clauses and the Binding Corporate Rules.
  4. Inform you customers! In order to counter complaints, action by the supervisory authorities and potential lawsuits in advance, transparent and clear communication with your customers is highly recommended.
  5. Observe the further developments! Follow further developments – in particular, the current negotiations for a new Safe Harbor Agreement between the EU Commission and the US Government. It is also helpful to keep an eye on announcements made by the Data Protection Authorities.


Read the complete eco White Paper on the EUCJ Safe Harbor Decision here.