5 things you need to know about legally transferring data out of Europe

23.11.2015
1. It only concerns personal data  The Safe Harbor agreement was -- until it was struck down by the Court of Justice of the European Union on Oct. 6 -- a way to reconcile differences between U.S. privacy laws and the EU's 1998 Data Protection Directive, which prohibits the transfer of Europeans' personal information to countries with inadequate privacy protections. If all you're shifting is production data or environmental measurements, then carry on as you were.

2. It's not the only way to transfer data legally  The directive provides other legal mechanisms under which businesses may transfer personal data outside the EU, whether to the U.S. or elsewhere, including model contract clauses, informed consent, and binding corporate rules. If you work for a multinational conglomerate, your company may have already established binding rules guaranteeing the protection of personal data transferred between different subsidiaries.

3. Your cloud provider may already have your back  Although Amazon Web Services and Microsoft Azure were registered under the Safe Harbor program, it's not game over for them or their customers. Their contracts already include model clauses approved by European data protection authorities promising that the personal information they process will be adequately protected. 

4. Even the alternatives to Safe Harbor may prove inadequate  Many observers have noted that the alternatives to Safe Harbor suffer from some of the same inadequacies that bothered the judges of the CJEU, and may themselves become subject to legal challenge. Data protection authorities across Europe have said they will continue to support the alternatives for now, but German regional DPAs are so concerned they have already refused to approve further model contract clauses and want businesses to stop personal data exports. 

5. January 31 is when things get interesting  That's the deadline Europe's DPAs have given the European Commission to agree on new Safe Harbor rules with the U.S. -- and if no agreement is forthcoming, it's also the date by which they expect companies to find an alternative to Safe Harbor. Until then, they've promised (outside Germany, at least) not to audit or prosecute companies for exporting personal data to the U.S.

Peter Sayer