US Data Transfers: Don’t panic! Practical next steps in the wake of Safe Harbor

United Kingdom

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

You will already have heard about last week’s Schrems decision in which Europe’s highest court, the CJEU, invalidated the Safe Harbor scheme.  The scheme had previously been relied on by over 4000 US organisations and countless more EU group companies and counterparts to legitimise EU to US data transfers. 

In the immediate aftermath of the ruling, the Commission has stated that transatlantic transfers can continue based on the other available mechanisms, which remain valid. EU regulators are now considering next steps, with further guidance expected shortly from Europe’s influential Article 29 Working Party.

These FAQs focus on some practical questions that in-house lawyers and internal stakeholders are likely to be asking in the interim.

What do I need to tell the Board? Is immediate action required? What is the risk level?

If your organisation has been relying on the US Safe Harbor, then, while we await guidance from the EU regulators, the decision creates uncertainty and potentially compliance risk.

  • Don’t panic.  Enforcement risk is likely to remain low in the short term while regulators take stock of the decision and work out its implications.  You have some breathing space to take stock of your exposure and plan your response.
  • Do work out which of your suppliers are relying on Safe Harbor.
  • Do consider whether there are any alternative mechanisms already in place that address adequacy requirements, such as model clauses and consent and, more unusually, binding corporate rules for processors.
  • Do plan remediation for those suppliers where there is no valid mechanism in place.
  • Do monitor what the regulators say over the next couple of weeks.

The true impact of this decision will depend on many factors - the size and resources of your organisation, and the scale and sensitivity of the data concerned. The reality is there is “no one-size-fits all” fix.

Frequently asked questions

  1. When can we expect new guidance on this?
  2. Won’t this situation just blow over?
  3. What is – or was - the Safe Harbor, and why is invalidation such a headache?
  4. What are the key legal points? Why has the CJEU ruled Safe Harbor invalid?
  5. What does invalidation mean in practical terms? Could I face enforcement action?
  6. How soon must I put an alternative in place? Will there be a grace period?
  7. What are the alternatives?  What are the costs and what are the pros and cons?
  8. How have the major regulatory stakeholders reacted?
  9. Olswang comment
  10. In more detail – legal analysis

For the full PDF click here.

Please contact us if you have any questions about the impact of this decision on your organisation.