Before:Anyone who transferred data containing personal information from Europe to the U.S. was protected from liability for data breaches as long as they complied with Safe Harbor standards created by the European Commission. Thousands of companies "self-certified" themselves as having complied with the Safe Harbor standards. The Event: This month, the Court of Justice of the European Union issued its ruling in Schrems v. Data Protection Commissioner that the Safe Harbor is no longer available. The Court cited Edward Snowdon’s surveillance practices as proof that the Safe Harbor standards don’t protect European citizens. After: Anyone who transfers data containing personal information from Europe to the U.S. has to find new ways to protect themselves from liability for data breaches.
TAKE AWAY: Companies who do business with the European Union and use the personal information of employees or customers should examine their data protection procedures. Alternative sanctioned methods of data security are out there. They range from using model contractual provisions to getting the individual to opt-in consent to transfer the data. Will using sanctioned methods work the same as the Safe Harbor did? That’s an open question. The U.S. and the European Union are working on a new version of the Safe Harbor standards but there’s no timetable for when we’ll see it.