ECJ Safe Harbor Ruling

High level note on ECJ ruling on Safe Harbor and its implications.

7 October 2015

Yesterday, the European Court of Justice ruled that the long standing Safe Harbor arrangement between the EU and US does not provide an adequate level of protection for European personal data.  As a result of this ruling any organisation in the EU transferring data to a US organisation can no longer rely solely on the justification that the US organisation to which the European data is transferred is Safe Harbor certified. 

Unless the data subjects whose personal data is being or is to be transferred to the US have expressly consented to the transfer, in order to safeguard the personal data that they wish to transfer to the US, EU organisations will now be required to take additional steps such as putting in place the EU Model Contract Clauses or Binding Corporate Rules.

This ruling is likely to have a significant impact on company groups who have parent or subsidiary undertakings in the US and on the providers of Cloud-based services, which is a rapidly growing sector.

If you would like further information on the ruling or advice as to how to ensure that any data transfers to the US are compliant with the Data Protection Act 1998 please do not hesitate to contact Nicola Rinaldi on +44 (0)131 473 5466 or Joanna Boag-Thomson on +44 (0)141 566 8570.