The Court of Justice of the European Union (ECJ) has now declared Safe Harbor invalid – in total. The ECJ has sent the case back to the Irish Data Protection Authority to determine whether Facebook Ireland’s transfer of personal data to the US is permitted under EU data protection law, in light of Facebook’s participation in the NSA’s PRISM program and bereft of the shelter of Safe Harbor.
If your company relies exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, it will need to find another basis for the transfer as soon as possible. This is relevant to any US company that has employees in Europe and could impact how—and even if—HR personal data is transferred, accessed, processed from any EU employees to its US operations. It could also impact the utilization of HRIS cloud systems.
By way of background, the European Union’s Data Protection Directive (1995) prohibits the transfer of personal information outside of the European Economic Area unless the receiving country ensures an adequate level of privacy protection. Soon after the Directive was passed, the European Commission determined that the US doesn’t offer adequate levels of protection. In response, the EU and the US negotiated the Safe Harbor agreement in 2000 to allow US companies to self-certify that they provide protections that are equivalent to the requirements of the EU’s Data Protection Directive. Currently, over 4,500 US companies rely on the EU-US Safe Harbor program to make their transfer of personal data from the EU to the US legal under European privacy laws.
Now, with the Court of Justice’s opinion, companies that rely exclusively on Safe Harbor as the basis for its transfer of personal data from the EU to the US, will need to find another basis for the transfer as soon as possible.