Safe Harbor is Dead. Long Live Safe Harbor…?


3 November 2015

Data sharing has almost been taken for granted in the past few years. Certainly from a technical perspective, secure data sharing has become much easier for businesses thanks to advances in cloud technology in particular.

At the same time, however, the burden of regulation has been steadily increasing, causing headaches for businesses and IT departments. One exception though was data sharing between the EU and US, which was made easier by the 15-year-old Safe Harbor rules. This agreement was designed to relax restrictions on data transfer between the UK and US, ostensibly to facilitate business.

But that all changed in October 2015 when the Court of Justice of the European Union (CJEU) ruled Safe Harbour invalid, on the grounds that it was held to breach the privacy rights of EU citizens. This verdict had an immediate, wide-ranging impact on European and US businesses, and how they transfer data between the two territories. Data transfers to US businesses that would previously have been covered under Safe Harbour are now invalid, and any business failing to make alternative arrangements now risks legal sanctions.

So what now for the 4,000-plus businesses which relied on Safe Harbor rules for US-EU data transfer? After all, the supporting theory from which Safe Harbor was born – expediting secure data transfer between the EU and US to boost business – remains very valuable.

Once the CJEU’s verdict was announced, businesses immediately looked to alternatives such as EU model contract clauses and binding corporate rules (BCRs). And now the situation changes again, with the news that the EU and US have agreed in principle on a new treaty – a Safe Harbor 2.0, if you will. These discussions have been ongoing since 2013, and a final deal is expected soon (the national deadline is said to be set for the end of January 2016).

Meanwhile, businesses can best prepare for the new Safe Harbor by assessing their options. That means examining data flows, and assessing the scale and sensitivity of shared information. Review existing contracts with cloud vendors to see if they already include the use of model clauses. If not, try to find a vendor that does, or modify your existing agreements and try to reduce workflow interruptions before a longer-term solution is found. Check with a data privacy lawyer to ensure every angle is covered.

Data sharing can’t be taken for granted any more. Companies and their cloud providers are responsible for protecting personal data, and this responsibility is only going to increase with the onset of the EU General Data Protection Regulation in, most likely, 2016. The penalties for wrongdoing are well-publicized and severe, and there are no scapegoats for companies which fail to adapt.



Deema Freij

Deema Freij

Deema Freij is SVP, Deputy General Counsel and Global Privacy Officer, based in Intralinks’ London office. Deema oversees global data governance within the company and is responsible for further strengthening the company’s worldwide focus on data privacy and the regulatory demands placed on its customers. Deema brings almost two decades of experience in the legal profession. Prior to joining Intralinks in 2011 as Legal Counsel, EMEA & APAC, she spent seven years as a legal consultant.