CJEU invalidates Safe Harbor
Dear Initech clients;
You may have followed the big news about the abolish of the EU-US Safe Harbor by the Court of Justice of The European Union (“CJEU”), but we still wanted to provide an update on the court ruling and on the impact it has on Israeli businesses exporting data to the US.
CJEU invalidates Safe Harbor
On Tuesday 6 October 2015 the CJEU released its decision in the Maximilian Schrems v Irish Data Protection Commissioner case. The CJEU Decided that Decision 2000/520 is invalid. Decision 2000/520 is the European Commission’s ‘adequacy decision’ which used to justify transfers of personal data from the European Economic Area to companies in the United States of America that self-certified to comply with the Safe Harbor Privacy Principles as negotiated between the Commission and the US Department of Commerce.
What is the impact of the CJEU ruling on businesses?
Many businesses are now confronted with a very real problem of transferring personal data since the Safe Harbor can no longer be relied as a lawful legal basis for exporting data from the EU to the US. Since the CJEU ruling thousands of businesses are formally infringing privacy regulations by lack of proper justification.
In a statement released by the Israeli Law Information and Technology Authority (“ILITA”) about the implications of the CJEU ruling, ILITA stated that local businesses can no longer rely on the Safe Harbor as basis for transfers of personal data from Israel to the U.S. Thus, for example, Israeli business storing employee’s HR data (e.g. salary, data concerning sick leave, maternity leave, etc.) on data centres located in the U.S. can no longer rely on the Safe Harbor as a basis for the transfer of personal data from Israel to the US.
We would expect immediate problems to arise from specific complaints (coming from data subjects, employees or customers) and for data-heavy businesses that are in a regulator’s focus already. Potentially more harmful to business, companies need to be more aware of data transfer compliance, requiring more effort from the parties to safeguard privacy rights.
We see the following options as a short term solution for transferring personal data to the US without infringing the privacy regulations in Israel or in EU member states: Contract a data centre in the EU; implement EU Standard Contractual Clauses with as many group affiliates, vendors and B2B customers as possible (Standard Clauses are standardised contracts issued by the EU Commission) and make plans for implementing Binding Corporate Rules.
* * * * *
This update is not legal advice or legal opinion. It is intended to provide general information and references to companies and their executives. In case you have any questions don’t hesitate to contact us:
Alon Saposhnik, Lawyer, LLB MLB (Hamburg)