5 Things Companies Should Consider in Reaction to the EU Decision on Safe Harbor
By The Global Privacy and Cybersecurity Practice
Yesterday, in a landmark
In response to the decision (and some in preparation for it), clients who are currently depending on Safe Harbor to transfer data from the EU to the United States (or as the backbone of global transfers) have been taking or considering one or more of the following approaches to minimize compliance and enforcement risks:
Put Model Contracts in Place (also BCRs Longer Term). Putting in place Model Contracts/Intra-Group Agreements (or even outsourcing data storage or certain IT operations to vendors with data transfer mechanisms in place) to cover any data transfer or access gaps they feel they may have (as a longer term solution, some companies are considering binding corporate rules as one additional data transfer mechanism to also put in place);
Review Data Flows and Prioritize Remediation. Inventorying what personal data are being stored and transferred and prioritize key data transfer activities that must remain intact (business or operationally critical) and focus efforts toward ensuring data transfer and storage solutions are in place or can be rerouted or stored in a way to minimize risks (or avoid using a Safe Harbor-supported pathway);
Contract Analysis. Analyzing existing contracts where there could be a breach based on the European Court of Justice opinion (or pursuant to a subsequent determination in an European Economic Area (EEA) member country), and, in such analysis, prioritizing the relationships and contracts to review data transfer pathways and compliance and/or to identify alternative legal or data architecture solutions;
Consider EU Country-by-Country Leeway. Identifying where servers in the EU are located, and the specific local requirements and privacy protections, as national authorities will have greater leeway; and
Outreach to DPAs and Monitor Consumer Complaints. Reaching out to Data Protection Authorities to build relationships and trust, while also updating consumer complaint and redress procedures to heighten alert to any specific requests or complaints as we expect more individuals to raise issues and concerns around privacy and data transfers.
To learn more about the impact of the decision on your company and about the approaches being taken by others, please contact
Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.