January 26, 2016 Articles

The U.S.–EU Privacy Safe Harbor Is Invalid

What can companies do now to avoid its enforcement, what regulatory framework will replace it, and how can clients prepare?

by Thomas Carey

The flow of data between the European Union (EU) and the United States is enormous. Much of it relates to individuals and their activities. For example, credit card use, Internet searches, Facebook entries, and software license registrations all create data that is tied to an individual, and that data has in the past traveled relatively freely between U.S. and EU businesses. A recent court decision may be about to change all that.

Transferring Data Between the European Union and United States
The right to privacy is explicitly recognized in the European Union by virtue of the European Convention on Human Rights. The European Union has taken this issue quite seriously, forbidding by Directive 95/46 the transfer of data about EU individuals to countries that do not ensure an adequate level of protection of that data. While some non-EU countries have been designated as having an adequate level of protection, the United States has not.

Historically, there have been two ways for EU companies to transfer data to entities in countries that have inadequate privacy protections. One is to enter into contracts containing the exact terms spelled out in so-called "Model Clauses" promulgated by the EU Commission. The other method is available to transfers between corporate affiliates and involves binding corporate resolutions (BCRs). In addition, a foreign company can collect data directly from the individual(s) concerned with the consent of that individual.

Premium Content For:
  • Litigation Section
Join - Now