Hold onto your hat, but, on October 6, 2015, the Court of Justice of the EU abolished the safe harbor on which US companies rely for transfers of data between the US and EU. So, as of today, if you are transferring “personal data” between the US and the EU and you are relying on the safe harbor to do so, you are no longer in compliance with the EU Data Protection Directive. Full Stop. If this describes your company, here is what you need to do next.
Since you can no longer rely on the safe harbor, you will have to do the following:
1. Intercompany Transfers: If the data transfer is between companies belonging to the same multinational corporation, then you can get back into compliance by adopting “binding corporate rules” and getting them approved by the national “data protection authority.” The problem with this approach is that it may take 18 months to get such approval. If you can’t put all data transfers on hold that long, see option 2 below.
2. Transfers Between Unaffiliated Companies. For all other transfers, the parties will have to enter into “standard contractual clauses.” There are three types of standard contractual clauses, so you will have to pick which ones apply to your roll as either a data “controller” or a data “processor” or both.
3. Comply. One last thing. Once you’ve adopted approved binding corporate rules or entered into standard contractual clauses, you will actually have to comply with them. This may have far reaching implications for internal policies and practices.