Safe Harbour accreditation is used by over 4,000 companies, so the ruling has triggered an urgent scramble to put in place alternative data transfer processes which comply with strict EU data protection rules.
This significant change has arisen out of a challenge by an Austrian user of Facebook who, like all EU based subscribers, has to contract with Facebook's Irish subsidiary at the time of registration. He complained about the transfer of personal data to Facebook's servers in the US.
We are now consulting with several clients, currently reliant on Safe Harbour, on what changes are needed to restore their legal compliance as quickly as possible. There are two broad solutions to the immediate problem:
- For internal data transfers (within a group of companies) - introduce new corporate rules for transferring data, in the form of EU-approved Corporate Binding Rules;
- For 3rd party data transfers - incorporate EU-approved Model Contract Clauses in all contracts with 3rd parties which make reference to the transfer of personal data.
We are recommending that clients who currently rely on Safe Harbour to take the following steps:
- Identify the types of EU-US data flows which exist in your organisation. For example, these data flows could be a) EU subsidiary to US parent, b) EU sub-contractor to US contractor and c) EU company to US service provider.
- Identify what contracts are in place for each type of data flow.
- Identify what wording changes are required (e.g. adding Model Contract Clauses as an Appendix to Contract) and implement change as soon as possible.
- Introduce new rules for the management of personal data, in accordance with EU regulations, accompanied by internal communication and staff training.
- Carry out a wider review of current data protection and privacy policies, including, for example, a review of customer data consent form wording on website.
For further information and to arrange a consultation, please contact us on the details below.