Last week, on October 6, the Court of Justice of the European Union (“CJEU”) issued a binding judgment invalidating the European Commission Decision that authorized the EU-U.S. Safe Harbor arrangement. For the past fifteen years, this arrangement has been relied upon by many businesses to transfer personal data from the European Union to the United States in compliance with the EU Data Protection Directive. As a result of the CJEU’s judgment, self-certification under the Safe Harbor framework is no longer sufficient to comply with the Directive.
The CJEU judgment creates uncertainty for U.S. companies processing or storing EU data. Without the protection of the Safe Harbor, U.S. organizations must take steps to ensure that any transmission of personal data from the European Union to the United States is carried out in compliance with the Directive.
To learn more, please read the full Alert. Please do not hesitate to contact Morse, Barnes-Brown, and Pendleton’s privacy and data security team if you would like to discuss options for your business in light of this decision.