Client Alert: European Court of Justice Strikes Down Safe Harbor Agreement For Data Transfer Between US and Europe

Insights October 8, 2015

Europe’s highest court, the European Court of Justice, has stricken the Safe Harbor agreement that was designed to allow companies to move personally identifiable digital information such as people’s web search histories and social media updates between the European Union and the United States. Many companies had been relying on this international agreement to allow data transfer between the U.S. and Europe. Quite candidly very few had actually gone through the Safe Harbor certification process under the agreement. In any event, companies need to ensure that the data remains in servers within at least one of the 28 EU countries, to the extent possible. Companies that rely on the transfer of data to function, such as Google and Facebook, are in legal limbo. The question for any company that relies on data transfer is whether the company can function without transferring EU data to U.S. servers. If so, keeping the data in a EU nation would suffice, because the EU allows data between EU nations to be transferred without many obstacles (i.e., there is a presumption of trusted nation between the EU countries). If not, it will be legal limbo until a work-around can be invented. For the time being, this is sending shock waves to organizations that rely on the transfer of personally identifiable data to function. As the past GC of a global medical device company, I can tell you that my previous company would have had trouble functioning without the transfer of medical data to our servers. However, modern encryption technologies may address the problem. The question is whether this would satisfy EU authorities.

For more information contact Rimon Partner John Isaza.