In ruling that the Safe Harbor framework is now illegal, the court expressed particular concern with the ability of U.S. intelligence agencies to access personal information and found that the longstanding provision insufficiently protected EU citizens' personal data.

This judgment affects any company relying on the Safe Harbor program to validly transfer personal data, such as payroll and HR information, across the Atlantic. It will also have an immediate impact on how companies conduct internal investigations of misconduct in the EU.

Although a brief grace period has been granted before enforcement begins, this decision will leave companies scrambling as they consider their options for legal data transfers.

Under the European Commission’s Data Protection Directive, companies that export the personal information of EU citizens are required to provide privacy protection consistent with EU standards. The Safe Harbor framework developed by the Department of Commerce and European Commission allowed U.S. companies to self-certify, subject to enforcement by the Federal Trade Commission, that they adequately complied with EU privacy standards and would protect EU data in the United States. Thousands of companies, in particular smaller companies, relied on this agreement to operate in the EU.

Read Full Article