The Death of Safe Harbor as We Know It

In a decision that has consequences for thousands of businesses with operations in Europe, the EU's highest court has struck down the Safe Harbor Agreement.

7 October 2015


In a decision that has far-reaching consequences for thousands of businesses with operations in Europe, the European Union’s (EU) highest court has struck down the 15-year old Safe Harbor Agreement that allows companies to transfer personal data about EU citizens from Europe to servers in the United States (US).

The Court’s decision was based on a case brought by Austrian Max Schrems that involved data transfers from Ireland to the US by Facebook. Under today's decision, transfers to US-based businesses under Safe Harbor are no longer valid (over 4,000 businesses rely on Safe Harbor today). This means that without alternative legal solutions in place, any business that sends data to the US risks fines or orders to suspend data transfers.

Safe Harbor has rapidly been losing credibility for some time and its validity was questioned long before this decision. Brussels and Washington D.C. are currently trying to negotiate a revised Safe Harbor Agreement, and this ECJ ruling sends a clear signal to US regulators that they need to act quickly.

So what are the other options? At the moment they include EU model clauses and binding corporate rules (BCRs), although the latter involves a long approval process from the European regulators. Many businesses, anticipating the legal issues with Safe Harbor, have already been using model clauses as the method under which to carry out the international transfer. At Intralinks, we’ve been implementing model clauses with many European clients for some time and have also embarked on a BCR application.

Companies should proactively engage with their vendors to fully understand how they plan to ensure that data transfers are fully compliant with EU law, and that they aren’t solely reliant on Safe Harbor. Under EU law, so-called “data controllers” bear responsibility for protecting information — this is typically the companies which gather and control how the data is used. These companies can’t absolve themselves and assume that third-party data storage or processing partners are responsible.

The EU’s decision is the proverbial tip of the privacy iceberg. Expect to see more regulations emerge across the globe that are designed to protect citizen data — countries as diverse as Brazil, Singapore and Russia are enacting new regulations. These laws will be complex, and organizations need to plan now to avoid business disruption, reputational harm and possible fines.

Scott Semel

Scott Semel

Scott N. Semel was appointed executive vice president, general counsel, and corporate secretary of Intralinks in January 2012. Previously, Scott served as senior vice president, general counsel, and secretary of Novell, Inc. Prior to joining Novell, he was chief legal officer and corporate secretary at Tele Atlas N.V., a Dutch Euronext company providing digital mapping and navigation solutions. Scott has also served as vice president, general counsel, and secretary for several NASDAQ listed companies, Ascential Software Corporation and NaviSite, Inc.