For more than a decade, some 4,500 U.S.- based companies have self-certified compliance with the European Union’s data privacy directive via the U.S. Department of Commerce “safe harbor” program. On October 6, the European Union Court of Justice struck down the safe harbor program. The full implications of this decision on companies that transfer personal data of E.U. citizens into the U.S. remain to be seen. Unresolved questions include:
- Does the decision only apply prospectively or open the door for retroactive enforcement actions?
- How will individual E.U. member states, with varying decentralized data protection laws, deal with data transfers going forward?
- How and when will a legislative solution to “replace” the safe harbor program emerge?
Until these and other questions are answered, a company that previously held safe harbor status would do well to reexamine its practices on transferring and storing the personal data of E.U. citizens, its use of the E.U. standard clauses and the contracts in place with its relevant vendors.